UWAGA!

Od 25 maja 2018 r. organem właściwym w zakresie ochrony danych osobowych jest Prezes Urzędu Ochrony Danych Osobowych. Nowa strona internetowa urzędu jest dostępna pod adresem: www.uodo.gov.pl.

Materiały zamieszczone na stronie Generalnego Inspektora Ochrony Danych Osobowych (GIODO) dostępnej pod adresem www.giodo.gov.pl mają charakter archiwalny.

POZOSTAŃ NA STRONIE ARCHIWALNEJ (GIODO)

I OSK 249/09 – Ruling of the Supreme Administrative Court

Ruling dated

 

2009-12-01

final and legally valid ruling

 

Claim dated

 

2009-02-24

Court

 

Supreme Administrative Court

Judges

 

Barbara Adamiak /presiding judge/
Ewa Dzbeńska /reporter/
Wojciech Mazur

Symbol

 

647 – Issues related to data protection

Keywords

 

Personal data protection

Related cases

 

II SA/Wa 903/08 – Ruling of Provincial Administrative Court in Warsaw given on 2008-11-27

Defendant Authority

 

The Inspector General for Personal Data Protection

Outcome

 

The contested ruling was quashed and the claim – rejected

Provisions quoted

 

Journal of Laws 2002 No. 153 item 1270 Article 188
Act of 30 August 2002 Law on proceedings before administrative courts

Journal of Laws 2002 No. 101 item 926

Article 23 paragraph1 pt. 1 , Article 26
Act of 29 August 1997 on the protection of personal data – unified text
Journal of Laws 1998 No. 21 item 94 Article 22
Act of 26 June 1974 – Labour Code – unified text

 

Theses

1. The lack of balance in the employment relationship calls into question the freedom of consent to the collection and processing of biometric data. Due to this fact, the legislators limited, in Article 221 of the Labour Code, the scope of employee data which the employer may request. Using employee’s consent as legal basis for the collection of data other than specified in Article 221 of the Labour Code would amount to a circumvention of this provision;

2. The risk of breach of fundamental rights and freedoms needs to be proportionate to the purpose it is intended to serve. As the proportionality principle, specified in Article 26 paragraph 1  pt. 3 of Data Protection Act is giving consent for the processing of biometric data, it needs to be underlined that the use of biometric data to control the working hours of the employees is not proportionate to the intended purpose of their processing.

Sentence

The Supreme Administrative Court composed of: Presiding judge Barbara Adamiak from Supreme Administrative Court and judges: Ewa Dzbeńska from the Supreme Administrative Court (reporter), Wojciech Mazur delegated from the Provincial Administrative Court and Urszula Radziuk (minutes keeper), adjudicating on 1 December 2009 in the General Administrative Chamber on a cassation claim of the Inspector General for Personal Data Protection concerning the ruling of Provincial Administrative Court in Warsaw of 27 November 2008, case ref. no. II SA/Wa 903/08 on the claim of L. Spółka z o.o. having its registered seat in M. concerning the decision of the Inspector General for Personal Data Protection of [...] April 2008, ref. no. [...] on personal data protection

1/ repeals the contested ruling and rejects the claim;

2/ orders L. Spółka z o.o. having its registered seat in M. to pay the Inspector General for Personal Data Protection PLN 357 (three hundred and fifty seven Polish zlotys) to cover the costs of cassation proceedings.

Justification

In its ruling of 27 November 2008, case ref. no. II SA/Wa 903/08, the Provincial Administrative Court in Warsaw, having considered the case of L. Spółka z o.o. having its registered seat in M., repealed the decision of the Inspector General for Personal Data Protection of [...] April 2008, ref. no. [...], and the preceding decision of [...] February 2008, ref. no. [...] on personal data protection.

The ruling was given in the following factual and legal circumstances:

In its decision of [...] February 2008, ref. no. [...], the Inspector General for Personal Data Protection, having carried out administrative proceedings concerning the processing of personal data by L. Sp. z o. o. having its registered seat in M.:

In Point I, ordered the company to remedy the irregularities in data processing by:

1. deleting personal data of the employees including digitalized information on their fingerprints, within 14 days of the day the decision becomes binding;

2. ceasing to collect the personal data of the employees including digitalized information on their fingerprints, from the day the decision becomes binding;

3. elaborating and implementing a security policy within 14 days of the day the decision becomes binding;

4. elaborating and implementing instructions for management of IT system used to process personal data within 14 days of the day the decision becomes binding.

In Point II, discontinued the proceedings in other respects.

In justification for the decision, the Inspector General for Personal Data explained that in the company, acting as data controller, breached data protection provisions by processing personal data including digitalized information on fingerprints (in the form of a sequence of numbers) without legal basis as well as by lacking a security policy, instructions for management of IT system used to process personal data and administrator of information security.

In the course of the proceedings it was found that fingerprint scanners were installed at the entrances to the premises of the company, where offices and production plant were situated. Working hours were evidenced with the use of RFID cards and by registration by the means of fingerprint scanners. Biometric data (fingerprints) were collected on the basis of a written consent of the data subject.

According to the authority, the processing of employees’ personal data (fingerprints) was carried out without a legal basis. The Inspector General also pointed out that, as it was found in the course of the proceedings, the company does not maintain documentation describing the manner the data is processed and did not implement technical and organisational measures to ensure the protection of personal data commensurate with the risks and the categories of data to be protected i.e. a security policy, and instructions for management of IT system used to process personal data.

Furthermore, the Inspector General stated that in the course of the proceedings an irregularity constituting the object of the proceeding and consisting in lack of administrator of information security was remedied, hence proceedings in this respect were discontinued.

In the decision of [...] April 2008, ref. no. [...],  the Inspector General for Personal Data Protection upheld the decision of [...] February 2008, ref. no. [...] in its contested part (pts. I 1 and 2), as the claim was found ungrounded.

The Provincial Administrative Court in Warsaw repealed the challenged decision and the precedent decision of [...] February 2008 (pt. I 1 and 2). The court stated that the Inspector General for Personal Data Protection was right to assume that digitalised information concerning fingerprints was personal data. As fingerprints were found to constitute personal data in the light of Data Protection Act, it was necessary to establish whether such data were legitimately processed by the company. The Provincial Administrative Court in Warsaw, which considered the case, did not concur with the view, expressed by the data protection authority, that there was no legal basis for data processing.

The court stated that biometric data (employees’ fingerprints) were collected on the basis of consent expressed by the employees in the form of a written declaration which did not have a blanket (general) nature but concerned a specific issue of legal processing of personal data – fingerprints. Such declarations clearly specified that a given person consented to the processing of his/her personal data, in that case – fingerprints.

The provisions of Article 23 paragraph 1  pt 1 of the Data Protection Act stipulates that the consent of the data subject is a possible legal basis for personal data processing and in the light of the competencies of the Inspector General, this should suffice to state that the data is processed legitimately. The data protection authority is not entitled to question the declaration of consent to data processing as it would go outside its statutory duties. The declaration of consent to data processing may not be assessed by the Inspector General from the point of view of civil law and has legal effect until the moment of its revocation or challenging in a manner specified in the legal provisions.

Despite correct findings concerning the existence of declarations of consent to data processing submitted by the employees of the company, the Inspector General for Personal Data Protection stated that they were not sufficient legal basis for data processing. According to the court of first instance, not only was such a conclusion wrong, but it also proved that the authority questioned the declarations submitted, “searching” for other basis for data processing by applying the norms of the labour law which – in its view – protect the rights of the employees more comprehensively than the Data Protection Act.

The court referred to Article 221 section 5 of the Labour Code, stating that if personal data is not regulated by sections 1-4 thereof, provisions on data protection apply, hence the Data Protection Act shall apply to all employee data other than specified in Article 221 sections 1-4 of the Labour Code. In the light of the above, the court decided that the employer only requires data specified by the labour law and that the employer was entitled to request other data specified by other legal provisions. Article 221 sections 1-4 of the Labour Code does not mention personal data of the employee in the form of fingerprints, however, pursuant to Article 221 section 5 of the Labour Code, the employer may also collect such data if any of the preconditions for the legality of their processing is fulfilled. Both regulations in conjunction stipulate that the collection of employees’ personal data such as fingerprints or retina patterns is not prohibited as a rule, however, it must be carried out in accordance with the provisions of the Data Protection Act. Therefore, it may be assumed that the provisions of the labour law ensure a more comprehensive protection of employee information than the Data Protection Act, as the provisions of the latter stipulate the necessity to control the processing of data other than these specified in Article 221 section 1-4 of the Labour Code.

To conclude, the Court underlined that the prerequisites specified in Article 23 paragraph 1 of abovementioned Act have independent and autonomous nature and introduce a gradation of legal basis for data processing, beginning with the consent of the data subject and ending with legitimate interest of data controllers or data recipients. Fulfilling one prerequisite is sufficient to deem the data processing legitimate and if one legal basis exists, there is no need to check whether another prerequisite is fulfilled. If consent to data processing was given, the data protection authority should assume that the data is processed legitimately.

The inspector General for Personal Data Processing submitted a cassation claim to the abovementioned ruling supplemented by a letter of 21 May 2009. The authority challenged the entire ruling and requested its repeal, reconsideration of the case by the Provincial Administrative Court and return of the costs of the proceedings, in accordance with the legal norms.

The claimant argued that the court of first instance breached the provisions of material law, Article 221 section 5 of the Labour Code in relation to Article 23 paragraph 1 pt 1 of the Act of 29 August 1997 on the Protection of Personal Data (Journal of Laws of 2002 No. 101, item 926 with amendments) by construing and applying them wrongly and assuming that the abovementioned provisions allow to process all personal data in case of obtaining consent of the data subject.

In justification, the claimant argued that the Inspector General for Personal Data Protection issued the challenged decisions on the basis of an interpretation of the provisions of the Labour Code and of the Data Protection Act different from the one presented in the ruling f the Provincial Administrative Court in Warsaw. In Article 221 sections 1, 2 and 4 of the Labour Code the legislator specified which personal data the employer may request of the employee. The abovementioned provisions unequivocally stipulate that the only the personal data specified therein may be processed. The word “request” found in the provisions refers to the collection of personal data and hence to their further processing. The legal basis for the processing of personal data may therefore be found in the abovementioned provisions of the Labour Code, which at the same time specify the scope of data which may be collected.

According to the Inspector General for Personal Data Protection, Article 221 section 5 of the Labour Code should be interpreted so as to allow for the use of data protection provisions only in instances which are not regulated in the preceding sections of this article. Article 221 section 5 of the Labour Code only refers to the data protection provisions to point out that in other instances, not regulated in the Code, the provisions of the Data Protection Act apply – only to the personal data whose scope was specified by the Labour Code. Hence, it is not permissible to use the legal basis specified in Article 23 paragraph 1 or Article 27 paragraph 2 of the Data Protection Act as legal basis for the employer collecting data other than these specified in the Labour Code.

Furthermore, the consent to personal data protection may not constitute legal basis for the collection of other personal data of the employee. Hence, the charge presented by the court of first instance, stating that the Inspector General for Personal Data Protection assessed the declaration of consent to data protection on the grounds of civil law, thus exceeding its competences, is ungrounded. The data protection authority did not base the challenged decisions on the assessment of the declarations submitted by the employees of L. Sp. z o.o, but on the fact that the processing of data on the basis of such consent was not permissible.

At the same time, the claimant argued that the collection of employee data exceeding the scope specified in the Labour Code by the employers constitutes a privacy breach and hence a violation of a constitutional right.

The Inspector General for Personal Data Protection also underlined that if employees’ consent to the collection of their data was to be considered legal basis, it is necessary to assess whether such consent was voluntary. Circumstances arising with regard to the relationship between employers and employees create an imbalance which enable the employers to extort consent.

The Supreme Administrative Court adjudicated as follows: the prerequisites for the invalidity of administrative court proceedings enumerated in Article 183 § section 2 of Act of 30 August 2002 Law on proceedings before administrative courts (Journal of Laws No. 153, item 1270 with amendments). Hence, the Court was bound to apply the basis quoted in the cassation claim and enumerated in Article 174 of said law. Such basis specify the course of proceedings of the Supreme Administrative Court. In the light of the above, the cassation claim deserved to be considered.

The Provincial Administrative Court in Warsaw stated in the ruling in question that the consent specified in w Article 23 paragraph 1 pt. 1 of the Act of 29 August 1997 on the Protection of Personal Data (Journal of Laws 2002 No. 101 item 926 with amendments) constitutes legal basis for the collection and processing of employee’s personal data, including biometric data, by the employer.

The Supreme Administrative Court does not concur with this view and states that the written consent of employee to the collection and processing of his/her data breaches the rights of the employee and the freedom to declare his/her will. Such an opinion is based on the subordinate status of the employee. The lack of balance in the employment relationship calls into question the freedom of consent to the collection and processing of biometric data. Due to this fact, the legislators limited, in Article 221 of the Labour Code, the scope of employee data which the employer may request. Using employee’s consent as legal basis for the collection of data other than specified in Article 221 of the Labour Code would amount to a circumvention of this provision.

The scope of data specified in Article 221 of the Labour Code may not be based on Article 23 paragraph 1 pt. 1 of the Data Protection Act for one more reason – it would violate the adequacy principle stipulated in Article 26 paragraph 1 pt. 3 of the Data Protection Act. This principle was implemented into the Data Protection Act from the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. (Official Journal of the EU of 23 11.1995) This Directive has been implemented into the Polish legal system, hence it applies to the entities collecting and processing personal data as well as those ruling in cases related to data protection and public authorities. The proportionality principle imposes an obligation for the controllers to process correct data in a manner appropriate to the purposes for which the data was collected.

A consultation authority called Article 29 Working Party was created on the basis of Article 29 of the Directive. The authority is composed of representatives of data protection authorities of Member States. The Group is to oversee the uniform implementation of data protection measures adopted on the basis of the Directive by the Member States. In a working document on biometrics adopted by the Working Party on 1 August 2003, the need to respect the principles of proportionality and legality was underlined. The risk of breach of fundamental rights and freedoms needs to be proportionate to the purpose it is intended to serve. As the proportionality principle, specified in Article 26 paragraph 1 pt. 3 of Data Protection Act is giving consent for the processing of biometric data, it needs to be underlined that the use of biometric data to control the working hours of the employees of L. sp.z.o.o. is not proportionate to the intended purpose of their processing. In the working document mentioned above, the Working Party stated that the employer makes a mistake if he attempts to legalize the processing of employee’s data by the consent given by this employee. Consent may be used as a legal ground if the employee may give it freely or refuse to give it without detriment. The Supreme Administrative Court fully endorses this view.

In the light of the above, the claim concerning the breach of Article 221 of the Labour Code in relation to Article 23 paragraph 1 pt. 1 of the abovementioned act is grounded, hence the ruling of Provincial Administrative Court in Warsaw shall be repealed and the claim based on Article 188 of the Law on Proceedings before Administrative Courts – rejected.

Last news