UODO (Poland) - DKN.5131.1.2025: Difference between revisions
From GDPRhub
m (→Facts) |
mNo edit summary |
||
| Line 65: | Line 65: | ||
}} | }} | ||
The DPA fined the Minister of Digitalisation | The DPA fined the Polish Minister of Digitalisation PLN 100,000 (€23,448,50) and the Polish Post S.A. PLN 27,124,816 (€6,444,174) for unlawfully processing the personal data of ca. 30 million citizens in order to provide for postal voting in a general election. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
In April 2020, the Polish Prime Minister decided to hold elections for the President of the Republic of Poland by | In April 2020, the Polish Prime Minister decided to hold elections for the President of the Republic of Poland by postal voting. He instructed the Polish Post S.A. (Post) to prepare the organisation for the elections. The Post requested from the Minister of Digitalisation (Minister) citizens personal data collected in the Register of the Universal Electronic Population Registration System (PESEL Register) for the purpose of creating a database of voters' addresses for the delivery of packages. | ||
The Minister provided the personal data of approximately 30 million people. More specifically; the PESEL number (a unique 11-digit identifier), the first names, the surnames, the last current address of permanent residence registration, the address of temporary residence registration, as well as the currently registered temporary departure outside the country of all living persons of legal age with a registered Polish citizenship. | The Minister provided the personal data of approximately 30 million people. More specifically; the PESEL number (a unique 11-digit identifier), the first names, the surnames, the last current address of permanent residence registration, the address of temporary residence registration, as well as the currently registered temporary departure outside the country of all living persons of legal age with a registered Polish citizenship. | ||
The | The Post continued to process the data for the purposes of the organisation of the general election up until their deletion in May 2020. | ||
In April 2020, the Ombudsman for Civil Rights Protection filed a complaint to the Provincial Administrative Court of Warsaw (WSA) against the aforementioned decision of the Polish Prime Minister and in May 2020 against the Minister's action to provide the personal data. | |||
Following the complaints, the WSA, in 2021, and the Supreme Administrative Court of Poland (NSA), in 2024, issued their final judgments. They declared the Minister's action of April 2020 to provide the Post with access to personal data from the PESEL register ineffective. Both courts held that there was no legal basis under polish law for conducting the 2020 presidential election exclusively by correspondence and therefore no legal basis for issuing an order that would oblige one to take steps to prepare to carry them out. Also, the courts stated that the Post and the Minister were obliged to verify whether the request of the Prime Minister was justified. | |||
In 2025, the DPA deemed it necessary to initiate proceedings ex officio. | In 2025, the DPA deemed it necessary to initiate proceedings ex officio. | ||
The Minister claimed that, according to [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]], the processing of personal data is lawful when it is necessary for the fulfilment of a legal obligation incumbent on the controller, while the | The Minister claimed that, according to [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]], the processing of personal data is lawful when it is necessary for the fulfilment of a legal obligation incumbent on the controller, while the Post claimed that its actions were not unlawful. | ||
=== Holding === | === Holding === | ||
The DPA examined the case taking into account that it was bound by the aforementioned judgements of the WSA and NSA and was not able to assess the actions of the Minister and the | The DPA examined the case taking into account that it was bound by the aforementioned judgements of the WSA and NSA and was not able to assess the actions of the Minister and the Post differently. It has no doubt that both the Minister and the Post acted as controllers of the personal data in question. | ||
First, the DPA upheld that there was no legal provision to stipulate the processing of personal data from the PESEL register. Therefore Article 6(1)(c) GDPR could not be considered a legal basis. Furthermore, the DPA examined the possibility of another legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]] and held that it is impossible to conclude that there is one. The Minister, by sharing personal data to the Post for the purpose of organising the general elections in 2020 and the Post, by carrying out tasks related to this purpose, processed personal data without a legal basis. Consequently, the DPA found a violation of Article [[Article 6 GDPR|6(1)]] and [[5(1)(a) GDPR]]. | |||
Second, the DPA imposed an administrative fine to the Minister in the amount of PLN 100,000 (€23,448,50) and to the Post in the amount of PLN 27,124,816 (€6,444,174) for violations of Article 5(1)(a) and [[Article 6 GDPR#1|Article 6(1) GDPR]], taking into account the nature, gravity, and duration of the breach and the nature, scope, or purpose of the processing in question, the number of data affected, and the extent of the damage suffered by the data subjects ([[Article 83(2) GDPR]]). | |||
== Comment == | == Comment == | ||
Revision as of 07:24, 28 May 2025
| UODO - DKN.5131.1.2025 | |
|---|---|
 | |
| Authority: | UODO (Poland) |
| Jurisdiction: | Poland |
| Relevant Law: | Article 5(1)(a) GDPR Article 6(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 10.01.2025 |
| Decided: | 17.03.2025 |
| Published: | 19.05.2025 |
| Fine: | 27,124,816 PLN |
| Parties: | Minister of Digitalisation of Poland Polish Post S.A. |
| National Case Number/Name: | DKN.5131.1.2025 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Polish |
| Original Source: | UODO (in PL) |
| Initial Contributor: | Le |
The DPA fined the Polish Minister of Digitalisation PLN 100,000 (€23,448,50) and the Polish Post S.A. PLN 27,124,816 (€6,444,174) for unlawfully processing the personal data of ca. 30 million citizens in order to provide for postal voting in a general election.
English Summary
Facts
In April 2020, the Polish Prime Minister decided to hold elections for the President of the Republic of Poland by postal voting. He instructed the Polish Post S.A. (Post) to prepare the organisation for the elections. The Post requested from the Minister of Digitalisation (Minister) citizens personal data collected in the Register of the Universal Electronic Population Registration System (PESEL Register) for the purpose of creating a database of voters' addresses for the delivery of packages.
The Minister provided the personal data of approximately 30 million people. More specifically; the PESEL number (a unique 11-digit identifier), the first names, the surnames, the last current address of permanent residence registration, the address of temporary residence registration, as well as the currently registered temporary departure outside the country of all living persons of legal age with a registered Polish citizenship.
The Post continued to process the data for the purposes of the organisation of the general election up until their deletion in May 2020.
In April 2020, the Ombudsman for Civil Rights Protection filed a complaint to the Provincial Administrative Court of Warsaw (WSA) against the aforementioned decision of the Polish Prime Minister and in May 2020 against the Minister's action to provide the personal data.
Following the complaints, the WSA, in 2021, and the Supreme Administrative Court of Poland (NSA), in 2024, issued their final judgments. They declared the Minister's action of April 2020 to provide the Post with access to personal data from the PESEL register ineffective. Both courts held that there was no legal basis under polish law for conducting the 2020 presidential election exclusively by correspondence and therefore no legal basis for issuing an order that would oblige one to take steps to prepare to carry them out. Also, the courts stated that the Post and the Minister were obliged to verify whether the request of the Prime Minister was justified.
In 2025, the DPA deemed it necessary to initiate proceedings ex officio.
The Minister claimed that, according to Article 6(1)(c) GDPR, the processing of personal data is lawful when it is necessary for the fulfilment of a legal obligation incumbent on the controller, while the Post claimed that its actions were not unlawful.
Holding
The DPA examined the case taking into account that it was bound by the aforementioned judgements of the WSA and NSA and was not able to assess the actions of the Minister and the Post differently. It has no doubt that both the Minister and the Post acted as controllers of the personal data in question.
First, the DPA upheld that there was no legal provision to stipulate the processing of personal data from the PESEL register. Therefore Article 6(1)(c) GDPR could not be considered a legal basis. Furthermore, the DPA examined the possibility of another legal basis under Article 6(1) GDPR and held that it is impossible to conclude that there is one. The Minister, by sharing personal data to the Post for the purpose of organising the general elections in 2020 and the Post, by carrying out tasks related to this purpose, processed personal data without a legal basis. Consequently, the DPA found a violation of Article 6(1) and 5(1)(a) GDPR.
Second, the DPA imposed an administrative fine to the Minister in the amount of PLN 100,000 (€23,448,50) and to the Post in the amount of PLN 27,124,816 (€6,444,174) for violations of Article 5(1)(a) and Article 6(1) GDPR, taking into account the nature, gravity, and duration of the breach and the nature, scope, or purpose of the processing in question, the number of data affected, and the extent of the damage suffered by the data subjects (Article 83(2) GDPR).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.
On the basis of Article 104 § 1 of the Act of 14 June 1960 - the Code of Administrative Procedure (Journal of Laws of 2024, item 572) in connection with Article 7 par. 1, Article 60, Article 101, Article 102 par. 1 point 1 and par. 3 and Article 103 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781) and Article 57 par. 1 letter a) and letter h), Article 58 par. 2 letter i), Article 83 par. 1-3, Article 83 par. 5 letter a) in connection with Article 5 par. 1 letter a) and Article 6 paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulations) (OJ EU L 119, 4.05.2016, p. 1, OJ EU L 127, 23.05.2018, p. 2 and OJ EU L 74, 4.03.2021, p. 35), hereinafter referred to as "Regulation 2016/679", and in conjunction with Art. 170 and Art. 153 of the Act of 30 August 2002 - The Code of Administrative Court Procedure (Journal of Laws of 2024, item 935, as amended), after conducting administrative proceedings initiated ex officio in the case of violation of the provisions on the protection of personal data by the Minister of Digitization (ul. Królewska 27, 00-060 Warsaw) and Poczta Polska S.A. with its registered office in Warsaw (ul. Rodziny Hiszpańskich 8, 00-940 Warsaw), the President of the Personal Data Protection Office,
1) finding a violation by the Minister of Digitization (ul. Królewska 27, 00-060 Warsaw) of Art. 6 sec. 1 of Regulation 2016/679, consisting in the unlawful processing of personal data collected in the register of the Universal Electronic Population Registration System, by making them available on 22 April 2020 without a legal basis in the scope of: PESEL number, first names, last names, last valid permanent residence address (and if there is none: last invalid address), temporary residence address (along with the declared date of such stay), as well as currently registered temporary trip outside the country, of all adults on 10 May 2020, who on the date of data generation had registered Polish citizenship in the above-mentioned register, were listed as living persons and for whom the indicated country of residence was Poland, for the benefit of Poczta Polska S.A. with its registered office in Warsaw (ul. Rodziny Hiszpańskich 8, 00-940 Warsaw), which resulted in a violation of the principle of lawfulness of processing specified in art. 5 sec. 1 letter a) of Regulation 2016/679, imposes on the Minister of Digital Affairs (ul. Królewska 27, 00-060 Warsaw) an administrative fine in the amount of PLN 100,000 (in words: one hundred thousand zlotys),
2) finding a violation by Poczta Polska S.A. with its registered office in Warsaw (ul. Rodziny Hiszpańskich 8, 00-940 Warsaw) of art. 6 sec. 1 of Regulation 2016/679, consisting in the processing without legal basis of personal data made available to this company on 22 April 2020 by the Minister of Digitization (ul. Królewska 27, 00-060 Warsaw), collected in the register of the Universal Electronic Population Registration System, in the scope of: PESEL number, first names, last names, last valid permanent residence address (and if there is none: last invalid address), temporary residence address (together with the declared date of such stay), as well as currently registered temporary trip outside the country, of all adults on 10 May 2020, who on the date of data generation had registered Polish citizenship in the above-mentioned register, were listed as living persons and for whom the indicated country of residence was Poland, which resulted in a violation of the principle of lawfulness of processing specified in Art. 5 sec. 1 lit. a) Regulation 2016/679, imposes on Poczta Polska S.A. with its registered office in Warsaw (ul. Rodziny Hiszpańskich 8, 00-940 Warsaw) an administrative fine in the amount of PLN 27,124,816 (in words: twenty-seven million one hundred twenty-four thousand eight hundred sixteen zlotys).
________________________________________________________________________
The finding that the analyzed process of personal data processing by the Minister of Digital Affairs and Poczta Polska S.A. with its registered office in Warsaw was carried out despite the lack of a legal basis under Art. 6 sec. 1 of Regulation 2016/679 is associated with the finding that the indicated administrators also violated Art. 5 sec. 1 letter a) of the aforementioned legal act – violating the principle of legality, reliability and transparency expressed therein.
________________________________________________________________________
Justification
1. By decision of 16 April 2020 ((…)) the Prime Minister ordered Poczta Polska S.A. with its registered office in Warsaw (ul. Rodziny Hiszpańskich 8, 00-940 Warsaw), hereinafter referred to as the "Company", to carry out activities consisting in undertaking and implementing the necessary actions aimed at preparing the elections of the President of the Republic of Poland in 2020 in correspondence mode, which was to be related to the need to counteract COVID-19, in particular by preparing the organizational structure, providing the necessary infrastructure and acquiring the necessary material and human resources. Then, on 22 April 2020, the Minister of Digital Affairs (ul. Królewska 27, 00-060 Warsaw), hereinafter referred to as the "Minister", made available to the Company, upon the request submitted by it on 20 April 2020, personal data collected in the register of the Universal Electronic Population Registration System (hereinafter referred to as the "PESEL register") in the scope of: PESEL number, first names, last names, last valid permanent residence address (and if there is none: last invalid address), temporary residence address (together with the declared date of such stay), as well as currently registered temporary trip outside the country, of all persons of legal age on 10 May 2020, who on the date of data generation had Polish citizenship registered in the above-mentioned register, were listed as living persons and for whom Poland was the indicated country of residence (approximately 30 million people[1]). This occurred, as indicated in the aforementioned application, in connection with the implementation of tasks related to the organization of the elections of the President of the Republic of Poland. They were to be held on May 10, 2020 - at a time when attempts were being made to limit the possibilities of the rapid development of the COVID-19 epidemic. The aforementioned actions became the subject of many discussions, including in the media, and aroused numerous controversies and anxiety among some public opinion.
2. As a result of the disclosure of these personal data, the President of the Personal Data Protection Office (hereinafter referred to as the "President of the Personal Data Protection Office" or the "supervisory authority") received 178 complaints about irregularities in the process of processing personal data by the Minister or by the Company. However, the situation concerned not only many people whose data was made available as a result of the above actions – it also became a reason for decisive actions of the Commissioner for Human Rights (hereinafter: "RPO"), who already on 29 April 2020 filed a complaint with the Provincial Administrative Court in Warsaw (hereinafter: "PAC") against the above decision of the Prime Minister regarding ordering the Company to carry out activities in the scope of counteracting COVID-19 aimed at preparing and conducting the elections of the President of the Republic of Poland in 2020 by correspondence. Shortly after that, i.e. on 15 May 2020, the Commissioner for Human Rights filed a complaint with the PAC against the action of the Minister of 22 April 2020 consisting in the above-described disclosure of personal data from the PESEL register to the Company. Following the complaints filed by the Commissioner for Human Rights, the Regional Administrative Court and the Supreme Administrative Court (hereinafter referred to as the "NSA") issued judgments (described in points 11 and 12 of this decision), as a result of which the following were finally and legally established: - invalidity of the decision of the Prime Minister issued on 16 April 2020, reference number: (...) (described in point 4 below), which initiated the submission of the above-mentioned application by the Company, - ineffectiveness of the Minister's action consisting in the above-mentioned disclosure of personal data from the PESEL register to the Company.
These judgments established both the factual and legal status, which the President of the UODO accepted as binding, taking into account, among other things, the content of Article 170 in connection with Article 153 of the Personal Data Protection Act [2]. This obviously had to have an impact on the actions taken by the supervisory authority to date. Therefore, he withdrew, among other things, the cassation appeal he had filed against the judgment of the Provincial Administrative Court of 23 April 2021, reference number II SA/Wa 1750/20, annulling the resolution of the President of the UODO of 7 July 2020, reference number (...), on the refusal to initiate proceedings in the case of an individual complaint filed to the authority by a natural person about irregularities in the process of processing his or her personal data by the Minister and the Company, in connection with the organisation of “envelope elections”. Resolution of the Supreme Administrative Court (reference number III OSK 6133/21) on discontinuation of the cassation proceedings as a result of the withdrawal by the President of the UODO of the above-mentioned cassation appeal was issued on 9 April 2024, while the last of the judgments of the Voivevodship Administrative Court and the Supreme Administrative Court referred to in points 11 and 12 of this decision was issued on 28 June 2024. At that time, the Supervisory Authority took further steps in individual cases and further considered it necessary to take the steps referred to in point 3 below.
3. Taking into account, among other things, a significant number of complaints referred to in point 2 above, as well as the final judgments issued by the Provincial Administrative Court and the Supreme Administrative Court (described in points 11 and 12 of this decision, which had a binding impact on the current legal assessment of the situation described in point 1 above), the President of the UODO considered it necessary to initiate ex officio (letter of 10 January 2025, reference number: (...))) administrative proceedings regarding the possibility of infringement by the Minister and the Company of the obligations arising from the provisions of art. 5 sec. 1 letter a) and art. 6 sec. 1 of Regulation 2016/679, in connection with the organisation of the elections of the President of the Republic of Poland in 2020 (reference number (...)). In doing so, he also took into account the content of art. 189g § 1 of the Code of Administrative Procedure[3]. When conducting the administrative proceedings initiated in this case, the President of the UODO was bound (in accordance with Article 170 and Article 153 of the Personal Data Protection Act, as indicated above) by the findings of the Voivevodship Administrative Court and the Supreme Administrative Court contained in the above-mentioned judgments. In the legal situation shaped by these judgments, the supervisory authority issued a decision taking into account the binding factual findings that were the basis for issuing these judgments and the findings and legal assessments of the courts contained in these judgments (referred to in point 2 above).
The President of the Personal Data Protection Office, as a result of the conducted administrative proceedings, established the following factual circumstances:
4. By decision of 16 April 2020 (ref.: (...)), the Prime Minister, referring to art. 11 sec. 2 in connection with art. 11 sec. 2a, sec. 3 of the Act of 2 March 2020 on special solutions related to the prevention, counteracting and combating of COVID-19, other infectious diseases and crisis situations caused by them (hereinafter referred to as the "COVID-19 Act") in connection with art. 104 of the Code of Administrative Procedure, instructed the Company to take action, consisting in undertaking and implementing the necessary activities aimed at preparing the conduct of the elections of the President of the Republic of Poland in 2020 in correspondence mode, which was to be related to the need to counteract COVID-19, in particular by preparing the organizational structure, providing the necessary infrastructure and acquiring the necessary material and staff resources. In this decision, hereinafter referred to as the "Decision of the Prime Minister of April 16, 2020", it was also noted that the implementation of the order is aimed at counteracting COVID-19 by preventing the spread of the SARS-CoV-2 virus as a result of people gathering in large groups as a result of their exercising their active right to vote in the presidential elections in the form of a visit to a polling station. (A copy of this decision - in the case files). 5. Following the issuance of the Decision of the Prime Minister of April 16, 2020, on April 20, 2020, the Company submitted to the Minister of Digitization an “Application for sending from the PESEL register” (reference: (...)) the data referred to below. In this application, hereinafter referred to as the “Company’s Application of April 20, 2020”, the Company, citing Art. 99 of the Act of 16 April 2020 on specific support instruments in connection with the spread of the SARS-CoV-2 virus (hereinafter referred to as "u.s.i.w.") and in connection with the implementation of tasks related to the organization of the elections of the President of the Republic of Poland, requested the provision of electronic data from the PESEL register in the following scope: 1) addresses: - last (current or last invalid if the person does not have a current) permanent residence registration: a) TERYT (7-character TERYT code of the commune), b) SIMC - locality identifier, c) ULIC - street identifier, d) postal code, e) voivodeship (name), f) district (name), g) commune (name). For cities with districts, the name of the district will be in the name of the commune,h) town,i) street,j) house number,k) apartment number,l) address validity indicator;- registered address for temporary stay and date of expiry of the declared stay - according to the scheme indicated in the previous indent in letters a) - l); It was also noted that these data do not include outdated addresses (i.e. those with a date of deregistration from temporary stay);- date of departure outside the borders of the Republic of Poland lasting longer than 6 months - if the departure is current, i.e. does not have a return date or the return date is from the future on the date of data generation;- date of return from departure outside the borders of the Republic of Poland lasting longer than 6 months - if it is a date from the future on the date of data generation;2) Citizen data:a) First name,b) Middle name,c) Last name,d) PESEL number. The application also stated that the transfer of the data referred to above applies only to persons who were of legal age on 10 May 2020 and who, on the date of generating the data transferred, had Polish citizenship registered in the PESEL register and were listed as living persons and for whom Poland was indicated as the country of residence. It was also explained that this data is needed and will be used solely for the purpose of carrying out tasks related to the organisation of the elections of the President of the Republic of Poland (the application refers to building the most up-to-date database of voters' addresses for the delivery of election packages), and after achieving the purpose, it will be deleted from the operator's IT system. (Copy of the Company's letter to the Minister dated 20 April 2020 - in the case file).
6. The Company (being the operator designated to provide universal services for the years 2016-2025[4]) obtained from the Minister, as a result of the above-mentioned application, personal data contained in the PESEL register. They were transferred to the Company (on a data carrier: DVD) in connection with the organization of the elections of the President of the Republic of Poland in 2020 on April 22, 2020. (Copy of the Company's letter to the Office for Personal Data Protection, hereinafter referred to as "UODO", dated September 12, 2024 - in the case files).
7. The Minister stated that he had not disclosed the data of all Polish citizens "(...) but only - living Polish citizens who were adults on May 10, 2020 and whose country of residence was Poland". He indicated that the disclosure was made on the basis of Article 99 of the u.s.i.w. He also emphasized that in accordance with Article 6 paragraph 1 letter c) of Regulation 2016/679, the processing of personal data is lawful when it is necessary to fulfill a legal obligation incumbent on the controller. Such an obligation for the Minister, as the controller of data processed in the PESEL register, resulted in his assessment from the aforementioned Article 99 of the Personal Data Protection Act (Copy of the Minister's letter to the Personal Data Protection Act of 21 November 2024 - in the case files).
8. The Company also indicated that in connection with the preparation for participation in the organization of the general elections for the President of the Republic of Poland called in 2020, it obtained data from the PESEL register in order to perform these tasks, pursuant to Article 99 of the Personal Data Protection Act. and the Decision of the Prime Minister of Poland of April 16, 2020. The Company indicated that the Minister provided it with the data of adults on May 10, 2020, who on the date of data generation had Polish citizenship registered in the PESEL register, were listed as living persons and for whom Poland was the indicated country of residence. (Copy of the Company's letter to the UODO of August 19, 2024 - in the case files).
9. Due to the expiry of the day set by the Speaker of the Sejm of the Republic of Poland as the date for the elections for the President of the Republic of Poland, i.e. May 10, 2020, on May 12, 2020, the Minister asked the Company to immediately submit to the Ministry of Digitization a declaration submitted by an authorized person in accordance with the rules of representation of the Company on the permanent deletion of the data transferred to the Company on DVD on April 22, 2020 and all copies of the data. (Copy of the letter dated May 12, 2020, reference number: (...) - in the case file).
10. Due to the cessation of the purpose of processing personal data (i.e. the Company's preparation for the general elections for the President of the Republic of Poland called in 2020, which were to be held on May 10, 2020), the Company permanently deleted all personal data obtained from the PESEL register (provided by the Minister). The deletion took place between May 15 and 22, 2020. (Copy of the Company's letter to the Personal Data Protection Office dated August 19, 2024 - in the case files).
11. The Provincial Administrative Court in its judgment of September 15, 2020 (reference number VII SA/Wa 992/20), hereinafter referred to as the "Judgment of the Provincial Administrative Court of September 15, 2020", issued in the case on the complaint of, among others, The Ombudsman for Human Rights on the Decision of the PRM of 16 April 2020, declared this decision invalid (see: (...)). The cassation appeals filed in this case were dismissed by the Supreme Administrative Court in its judgment of 28 June 2024 (reference number III OSK 4524/21), as a result of which the aforementioned judgment of the Provincial Administrative Court of 15 September 2020 became final and binding (see: (...)).
12. The Regional Administrative Court, in its judgment of 26 February 2021 (reference number IV SA/Wa 1817/20), hereinafter referred to as the "Judgment of the Regional Administrative Court of 26 February 2021", in the case of the complaint of the Commissioner for Human Rights against the action of the Minister of Digital Affairs, found the ineffectiveness of the action of the Minister of April 22, 2020 consisting in providing the Company with personal data from the PESEL register concerning living Polish citizens who came of age on 10 May 2020 and whose country of residence is Poland (see: (...)). The cassation appeal filed in this case was dismissed by the Supreme Administrative Court in its judgment of 13 March 2024 (reference number II OSK 1630/21), as a result of which the judgment of the Regional Administrative Court of 26 February 2021 became final and binding (see: (...)). In this last judgment, the NSA also indicated that "On 22 April 2020, the Minister of Digital Affairs provided the company with personal data from the PESEL register kept by the Minister. The data provided included: 1) PESEL number, 2) first name, first names, 3) last name and 4) depending on what data the person has registered in the PESEL register - the current permanent residence address, and in the absence thereof, the last permanent residence address, as well as the temporary residence address. No information was provided on the dates of registration and deregistration, while in the case of a temporary residence address, information was provided on the expected date of stay at the temporary address. In addition, information was provided on whether the person currently has a registered temporary trip outside the country (without indicating the country of departure)"[5]. In this factual situation, after reviewing all the evidence gathered in the case, the President of the UODO considered the following:
13. Pursuant to art. 34 sec. 1 and 2 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781, hereinafter referred to as: "UODO"), the President of the UODO is the authority competent in matters of data protection and the supervisory authority within the meaning of Regulation 2016/679. Pursuant to art. 57 sec. 1 lit. In accordance with points (a) and (h) of Regulation 2016/679, without prejudice to other tasks specified under that Regulation, each supervisory authority on its territory shall monitor and enforce the application of this Regulation and conduct proceedings concerning the application of this Regulation, including on the basis of information received from another supervisory authority or another public authority. The corrective powers of a supervisory authority in the event of an infringement of the provisions of Regulation 2016/679 are set out in points (a) to (j) of Article 58(2) of Regulation 2016/679. That provision provides, inter alia, for the application, in addition to or instead of the measures referred to in that paragraph, of an administrative fine under Article 83, depending on the circumstances of the individual case (point (i)).
14. In accordance with art. 1 sec. 2 item 5 of the Personal Data Protection Act, this Act specifies the procedure for infringement of personal data protection provisions. In accordance with art. 60 of the Personal Data Protection Act, the President of the Personal Data Protection Act conducts proceedings for infringement of personal data protection provisions.
15. It therefore follows from the above that the proceedings conducted by the President of the Personal Data Protection Act are aimed at determining whether a personal data protection provision has been infringed in the case and, if such an infringement is found, exercising the remedial powers. The assessment carried out by the President of the Personal Data Protection Act is therefore used to examine the justification for exercising by him, as a supervisory authority, the remedial powers referred to in art. 58 sec. 2 of Regulation 2016/679.
I. Legal basis for the processing of personal data.
16. In art. Article 5 of Regulation 2016/679 specifies the principles for the processing of personal data that must be respected by all controllers, i.e. entities that, alone or jointly with others, determine the purposes and means of processing personal data. According to Article 5 paragraph 1 letter a) of Regulation 2016/679, personal data must be processed lawfully, fairly and in a transparent manner for the data subject ("lawfulness, fairness and transparency"). Compliance with the above principle is necessary for the proper implementation of the principle of accountability resulting from Article 5 paragraph 2 of Regulation 2016/679.
17. According to Article 6 paragraph 1 Regulation 2016/679 the processing of personal data is lawful only if - and to the extent that - at least one of the following conditions is met:a) the data subject has consented to the processing of his or her personal data for one or more specific purposes;b) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;c) processing is necessary for compliance with a legal obligation to which the controller is subject;d) processing is necessary to protect the vital interests of the data subject or of another natural person;e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. concern, requiring the protection of personal data, in particular when the data subject is a child. It should be noted that the provision of Article 6 paragraph 1 letter f) of Regulation 2016/679 does not apply to the processing of personal data by public authorities in the performance of their duties.
18. The list of grounds for the lawfulness of personal data processing listed in Article 6 paragraph 1 of Regulation 2016/679 is closed. Each of the grounds for the legalisation of the personal data processing process is autonomous and independent. They are also equal to each other, which means that it is sufficient for the data processing process to be legal if one of them is met.
19. In accordance with Article 6 paragraph 3 of Regulation 2016/679, the basis for the processing referred to in Article 6 paragraph 1 letters c) and e) must be specified:a) in Union law; or (b) in the law of the Member State to which the controller is subject.
This provision further specifies that the purpose of the processing must be specified in that legal basis or, in the case of processing referred to in Article 6(1)(e), it must be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The legal basis may contain specific provisions adapting the application of the provisions of this Regulation, including: the general conditions for the lawfulness of processing by the controller; the type of data subject to processing; the data subjects; the entities to whom personal data may be disclosed; the purposes for which they may be disclosed; purpose limitations; storage periods; and the processing operations and procedures, including measures to ensure the lawfulness and fairness of processing, including in other specific processing situations referred to in Chapter IX. Union law or the law of a Member State must serve to achieve an objective in the public interest and be proportionate to the legitimate objective pursued.
20. In this case, the supervisory authority is obliged to analyse the legal bases arising from the statutes indicated in the PRM Decision of 16 April 2020 and in the Company's Application of 20 April 2020 for the transfer of data from the PESEL register in electronic form, taking into account the fact that the authority is bound by the judgments indicated in points 11 and 12 of this decision, resulting from the principle of being bound by a final court decision expressed in Article 170 of the Personal Data Protection Act. In accordance with the judgment of the Provincial Administrative Court in Gdańsk of 27 March 2024 (reference number I SA/Gd 1109/23), »Expressed in Article 170 p.p.s.a. the essence of the binding force of a final court decision comes down to the fact that state bodies and courts must take into account the fact of the existence and content of a final court decision and all legal effects resulting from it. Although the force of res judicata includes the operative part of the decision, taking into account that the essence of judicial review is expressed in the legal assessment, and this is expressed in the justification, the scope of the force of res judicata within the meaning of art. 171 p.p.s.a. is indicated by the reasons. In a situation where a final court decision and the factual findings that formed its basis are binding, it is inadmissible in another case with a different subject to make legal findings and assessments that are contrary to the case that was finally judged. The decision contained in the final decision creates the legal status that results from it. Courts adjudicating another dispute between the same parties must assume that the legal issue is as adopted in the final, earlier judgment (see the judgment of the Supreme Administrative Court of 28 October 2022, file reference III FSK 778/22; the cited judgments are available in the Central Database of Administrative Court Rulings on the website odpowiedzialne.nsa.gov.pl, hereinafter referred to as "CBOSA").
The Supreme Administrative Court also presents the view that although the binding force of a final judgment is only in a given case, it may refer to other proceedings to the extent that a specific legal issue was resolved in that judgment, which is relevant to the resolution of another case as a preliminary issue or a further element shaping the process of applying the law by the court (see judgments of the Supreme Administrative Court of 31 May 2016, file reference II OSK 2295/14, of 24 November 2020, file reference II FSK 1014/19, CBOSA)«.
Furthermore, in the judgment of 14 November 2023, file reference III OSK 2623/21, the Supreme Administrative Court indicated that »The allegation of violation of Article 170 of the p.p.s.a., because the President of the UODO was bound, in accordance with the content of this provision, by judgments issued on the disclosure of public information, in the form of attachments to the applications of candidates for members of the National Council of the Judiciary, including lists of judges supporting the applications, by judgments of the Provincial Administrative Court in Warsaw of 29 August 2018, reference number II SA/Wa 484/18, and the Supreme Administrative Court of 28 June 2019, reference number I OSK 4282/18. It should be recalled that in accordance with Art. 170 of the p.p.s.a. "a final judgment is binding not only on the parties and the court that issued it, but also on other courts and other state authorities, and in cases provided for by law also other persons". It is noted that "the ratio legis of art. 170 of the p.p.s.a. is that it guarantees the maintenance of consistency and logic in the actions of state bodies, preventing the functioning in legal transactions of decisions that are irreconcilable in the entire system of exercising power (judgment of the Supreme Administrative Court of 19 May 1999, IV SA 2543/98). The view of the doctrine should be shared that "although being bound by a final judgment is binding only in a given case, it may refer to other proceedings to the extent to which a specific legal issue was resolved in that judgment, which is relevant for the resolution in another case as a preliminary issue or a further element shaping the process of applying the law by the court" (B. Dauter (in:) A. Kabat, M. Niezgódka-Medek, B. Dauter, Law on proceedings before administrative courts. Commentary, 2nd ed., LEX/el. 2021, art. 170). Article 170 of the p.p.s.a. has an ordering nature and means that in a case in which a final judgment of an administrative court has been issued, entities concerned by this judgment are obliged to recognise that the legal issue constituting the content of the court's decision is shaped in the way it was stated therein. It is therefore inadmissible for any entity other than in cases strictly specified in sections VII and VIIa of the p.p.s.a. to challenge or change the content of the decision. The binding force of a final judgment of an administrative court is determined by the subject matter of the case being examined, which "in accordance with the rules governing court and administrative proceedings are determined by the actual scope of the decision contained in this judgment" (T. Woś (in:) H. Knysiak-Sudyka, M. Romańska, T. Woś, Law on proceedings before administrative courts. Commentary, 6th edition, Warsaw 2016, art. 171), and therefore the scope of the decision regarding the assessment of the legality of the action or omission of a public administration body determines the subject limits of a given case. On the other hand, the subjective limits of the scope of bindingness of the judgment of an administrative court are defined in Art. 170 of the p.p.s.a. as "the essence of the binding force of a final court judgment specified in the commented provision is expressed in the fact that state bodies must take into account the fact of the existence and content of a final court judgment and all legal effects resulting from it" (Law on proceedings before administrative courts. Commentary, ed. R. Hauser. M. Wierzbowski, Legalis 2021, art. 170, thesis 1). Therefore, there is no doubt that both courts and public administration bodies are obliged to execute and respect a final judgment of an administrative court".
Moreover, in the judgment of 7 November 2019, file ref. Act II SA/Lu 392/19, the Voivodship Administrative Court in Lublin indicated that "The provision of art. 153 of the p.p.s.a. expresses the principle of binding the court and the body whose action or inaction was the subject of the appeal, with the legal assessment expressed in the court's ruling. The legal assessment provided for in this provision may concern both the interpretation of the law itself and the lack of explanation of the essential circumstances of the factual situation in the controlled administrative proceedings. In turn, art. 170 of the p.p.s.a. provides that a final judgment is binding not only on the parties and the court that issued it, but also on other courts and other state bodies, and in cases provided for in the act, also on other persons. Being bound by the legal assessment referred to in art. 153 of the p.p.s.a. and in art. 170 of the p.p.s.a. means that such a judgment is of significant importance for the proceedings conducted after its issuance issuing administrative and judicial-administrative proceedings concerning related matters.”
21. The decision of the Prime Minister of 16 April 2020 was issued, among others, with reference to Article 11 paragraph 2 in connection with Article 11 paragraph 2a, paragraph 3 of the COVID-19 Act. Article 11 paragraph 2 of the aforementioned Act in the wording in force on the date of issue of this decision stated that “The Prime Minister, on his own initiative or at the request of the voivode, after informing the minister responsible for economic affairs, may, in connection with counteracting COVID-19, issue orders binding legal persons and organizational units without legal personality and entrepreneurs other than those listed in paragraph 1. Orders are issued by way of an administrative decision, are subject to immediate execution from the moment of their delivery or announcement and do not require justification.” In the Decision of the Prime Minister of 16 April 2020, as already indicated above, the Prime Minister instructed the Company to "implement activities in the scope of counteracting COVID-19, consisting in undertaking and implementing the necessary activities aimed at preparing to hold the elections of the President of the Republic of Poland in 2020 in correspondence mode, in particular by preparing the organizational structure, providing the necessary infrastructure and acquiring the necessary material [and] human resources".
22. The consequence of issuing the above Decision of the Prime Minister of 16 April 2020 was the submission to the Minister of Digitization of the Company's Application of 20 April 2020 for the transfer in connection with the implementation of tasks related to the organization of the elections of the President of the Republic of Poland in electronic form of data from the PESEL register in the scope already indicated in point 5 of this decision. In this application, the Company referred to Article 99 of the Postal Law. This provision, in the wording on the date of submission of the Company's Application of April 20, 2020, provided that "The designated operator within the meaning of the Act of November 23, 2012 - Postal Law, after submitting an application in electronic form, receives data from the PESEL register or from another list or register at the disposal of a public administration body, if such data are needed to perform tasks related to the organization of the elections of the President of the Republic of Poland or to perform other obligations imposed by government administration bodies. The data referred to in the first sentence shall be transferred to the designated operator, in electronic form, within a period not longer than 2 business days from the date of receipt of the application. The designated operator is authorized to process the data only for the purpose for which it received such data." 23. In carrying out the above-mentioned Request, on 22 April 2020, the Minister made available to the Company (being – as already indicated in point 6 of this decision – the operator designated to provide universal services for the years 2016-2025) the personal data contained in the PESEL register. This was done by issuing an IT medium, i.e. a DVD. As it results from the evidence collected in the case, in view of the existence in legal transactions of the above-mentioned judgments, i.e. the above-mentioned judgment of the Regional Administrative Court of 15 September 2020 (reference number VII SA/Wa 992/20) declaring the invalidity of the above-mentioned decision of the Prime Minister of 16 April 2020, upheld by the above-mentioned judgment of the Supreme Administrative Court of 28 June 2024 (reference number III OSK 4524/21) and the above-mentioned judgment of the Regional Administrative Court of 26 February 2021 (reference number IV SA/Wa 1817/20), declaring the ineffectiveness of the action of 22 April 2020 consisting in providing Poczta Polska S.A. with personal data from the PESEL register, relating to living Polish citizens who came of age on 10 May 2020 and whose country of residence is Poland, as issued in violation of the provisions of the law in force on the date of its execution, upheld by the above-mentioned judgment of the Supreme Administrative Court of 13 March 2024 (reference number II OSK 1630/21), in the opinion of the President of the UODO, the Minister of Digitization did not demonstrate any of the premises under Art. 6 sec. 1 of Regulation 2016/679 to provide personal data from the PESEL register to the Company for the purpose of organizing the general elections for the President of the Republic of Poland ordered in 2020, and the Company did not demonstrate any of the grounds under Art. 6 sec. 1 of Regulation 2016/679 to process the above-mentioned data for the above purpose. In the context of determining the invalidity of the decision of the Prime Minister of 16 April 2020, imposing on Poczta Polska S.A. the obligation referred to in Art. 99 of the Act. and the finding of the ineffectiveness of the action of providing the Company with personal data from the PESEL register by the Minister of Digitization, as an action infringing the provisions of the law, it cannot be recognised that there was a legal basis for the Minister of Digitization to provide this data to the postal operator and for Poczta Polska S.A. to obtain personal data based on art. 6 sec. 1 letter c) of Regulation 2016/679 in connection with art. 99 of the Act on Personal Data Protection. On the date the above-mentioned personal data were made available, as stated in the cited rulings of the Regional Administrative Court and the Supreme Administrative Court, there was no legal provision providing for the designated operator to carry out tasks related to the organisation of the elections of the President of the Republic of Poland, for the performance of which it would be necessary to process data from the PESEL register. It is worth citing the justification for the above-mentioned judgment of the Supreme Administrative Court of 13 March 2024 (reference number II OSK 1630/21), in which the Supreme Administrative Court stated, in particular, that, quote: »In national law, the principles of disclosing data from the PESEL register and resident registers are regulated in the provisions of the Act on the Population Register (Article 45 et seq.). Data from this register shall be made available to the entities listed in Article 46 sec. 1, but only to the extent necessary to perform their statutory tasks; this connection must result from the need to possess personal data covered by the register in order to achieve the purpose specified in the content of the task (mandatory disclosure). Data from the PESEL register may also be made available to other entities specified in Article 46 sec. 2, but after meeting all the requirements contained in this provision (optional disclosure). The provision of Article Article 99 of the Act of 2020 [u.s.i.w.], covered by the cassation grounds, is undoubtedly a special provision in relation to the presented general regulation regarding the disclosure of data from the PESEL register. (...) P. S.A. [Company] in its application for the disclosure of data from the PESEL register, invoking the authorization arising from Article 99 of the Act, indicated that "the data are needed and will be used solely for the purpose of carrying out tasks related to the organization of the elections of the President of the Republic of Poland". The Minister of Digital Affairs was therefore obliged to verify this application, namely whether this application is justified by the implementation of tasks related to the organization of the elections. This in turn resulted in the need for another verification, this time of the designated operator's competence to carry out tasks related to the organization of elections, because Article 99 of the Act of 2020 alone cannot be considered the source of such competence (such competences). These sources should be sought in the provisions of electoral law (in the Electoral Code or in special provisions). If the legal order in force on the date of consideration of the application did not contain appropriate provisions granting P. S.A. competences related to the organisation of elections of the President of the Republic of Poland, the application in question should not be taken into account (...)«. Furthermore, in the justification of the aforementioned The judgment stated: "First of all, the provisions of the Electoral Code Act did not provide for the necessity for the designated operator within the meaning of the Postal Law Act to process personal data for the purpose of carrying out tasks related to the organisation of the elections of the President of the Republic of Poland. (...) Therefore, if the legislator considered that there was a need to introduce, in these undoubtedly extraordinary circumstances, the necessary legal regulation providing for the designated operator to carry out tasks, mainly of a technical nature, related to the organisation of the elections of the President of the Republic of Poland, which would also justify the processing of data from the PESEL register for the purposes of carrying out these tasks, such regulation could be introduced into the legal order by way of an act. Only then could a positive regulation in this matter constitute a basis for proceedings based on art. 99 of the Act of 2020 [u.s.i.w.] (...) On the day of undertaking the contested action, there were no other provisions of statutory rank providing for the designated operator with substantive (statutory) competence to process personal data for the purposes of carrying out tasks related to the organisation of the elections of the President of the Republic of Poland Poland. They are notably absent from the Act of 2020 and the Act of 2 March 2020 on special solutions related to the prevention, counteracting and combating of COVID-19, other infectious diseases and crisis situations caused by them (...). The principles and procedure for conducting the elections of the President of the Republic of Poland are specified by the Act (Article 127 paragraph 7 of the Constitution of the Republic of Poland). This means that the tasks related to the organization of the elections of the President of the Republic of Poland provided for electoral commissions, electoral commissioners, electoral officials, municipal authorities, etc.may be specified in statutory provisions. Also, tasks of a technical nature in the electoral procedure, provided for the designated operator within the meaning of the Postal Law Act, primarily related to the processing of personal data, may be regulated only by statute. As already indicated, the aforementioned decision of the Prime Minister of 16 April 2020 instructing P. S.A. to carry out the activities specified therein, for example those listed therein, refers to activities aimed at preparing and conducting the elections of the President of the Republic of Poland in 2020 by correspondence. The ruling contained in this decision does not indicate the need for the company to process personal data from the PESEL register in connection with the order to take these actions” (see the judgment of the Supreme Administrative Court of 13 March 2024, file reference II OSK 1630/21, (...)). It is also justified to quote the justification of the aforementioned judgment of the Provincial Administrative Court of 26 February 2021 (file reference IV SA/Wa 1817/20), in which the Provincial Administrative Court found, in particular, that the contested action was defective because it was taken in breach of Art. 99 of the Personal Data Protection Act by the Minister of Digitization, consisting in providing Poczta Polska S.A. with data from the PESEL register in a situation where, contrary to the requirements of the aforementioned provision, there were no grounds to consider that these data were necessary for Poczta Polska S.A. for the declared purpose by it in the application for the performance of tasks related to the organization of the elections of the President of the Republic of Poland. On the date of the contested action by the Minister of Digital Affairs (i.e. on April 22, 2020), Poczta Polska S.A. did not have any competences of its own in the scope of the organization of the elections of the President of the Republic of Poland, the performance of which required the data provided by the Minister. At the same time, at no stage of the case did Poczta Polska S.A. invoke the fact, and above all, did not demonstrate, that the data provided would be necessary for it (in accordance with the alternative provided for in the provision) in order to perform other obligations imposed by government administration bodies. Moreover, in the justification of the above-mentioned judgment of February 26, 2021, the Regional Administrative Court indicated the following: "(...) The Authority [Minister of Digital Affairs], which received the application of the Participant [Poczta Polska S.A.] for the provision of data pursuant to Article 99 of the Personal Data Protection Act from the PESEL register, needed to carry out tasks related to the organization of the elections of the President of the Republic of Poland or in order to perform other obligations imposed by government administration bodies, should have found, based on the applicable legislation, that: 1) the Participant does not have any competences (tasks) in the scope of the organization of the elections of the President of the Republic of Poland, the implementation of which would require the provision of the above-mentioned data, 2) no other obligations were imposed on the Participant that would require such provision. This means that the statutory conditions for providing the Participant with data from the PESEL register, provided for in Art. 99 of the e.g., have not been met" (see judgment of the Provincial Administrative Court of 26 February 2021, reference number IV SA/Wa 1817/20, (...)). Similarly, the Supreme Administrative Court in the justification of the above. judgment of 28 June 2024 (reference number III OSK 4524/21) stated in particular, quote: »(...) Article 11 paragraph 2 of the Covid Act could not constitute the exclusive and independent legal basis for issuing an order by the Prime Minister to Poczta Polska to "undertake and implement the necessary actions aimed at preparing to hold the elections of the President of the Republic of Poland in 2020 by correspondence". When issuing the decision, the authority did not refer to any provision of law based on which it would be possible to reconstruct the substantive legal basis of the order issued to Poczta Polska. Neither the Court of First Instance nor the Supreme Administrative Court find a legal basis for issuing an order to Poczta Polska obliging it to take actions aimed at preparing to hold the presidential elections by correspondence. The fundamental reason for such a categorical assessment is the fact that, as of the date of issue of the decision of 16 April 2020, there was no legal basis in force that would allow for the elections of the President of the Republic of Poland in 2020 to be held solely by correspondence, and if so, then by definition there could not be a legal basis for issuing an order that would oblige to take steps to prepare for their conduct" (see judgment of the Supreme Administrative Court of 28 June 2024, reference number III OSK 4524/21, (...)). In turn, the Regional Administrative Court, in the justification of the above-mentioned judgment of 15 September 2020 (reference number VII SA/Wa 992/20), indicated in particular the following quote: "On the date of the ruling by the Prime Minister in the contested decision, there was no provision of statutory rank that would exclude the application of Article 157 § 1 in conjunction with Article 187 § 1 and § 2 of the Electoral Code, granting the powers of the National Electoral Commission to any other public administration body. In this respect, it cannot be validly legally claimed that such a provision was art. 11 sec. 2 in connection with art. 11 sec. 2a, sec. 3 of the Act of 2 March 2020 on special solutions related to the prevention, counteracting and combating of COVID-19, other infectious diseases and crisis situations caused by them. The provisions cited in the contested decision, which, according to the body, were to constitute the legal basis for the content of the order issued, did not allow the Prime Minister to take such action, which in fact constituted a legally impermissible amendment to the Act - Electoral Code. The fact that this body was authorized to issue orders in connection with counteracting COVID-19 is not tantamount to the fact that it was authorized to change the applicable law by designating a person other than the National Electoral Commission as authorized to perform any activities in the scope of preparing the presidential elections, by way of an administrative decision. (...) When issuing the contested decision, the Prime Minister derived the legal basis for the order contained therein from art. 11 sec. 2 in connection with art. 11 sec. 2a, sec. 3 of the Act of 2 March 2020 on special solutions related to the prevention, counteracting and combating of COVID-19, other infectious diseases and crisis situations caused by them. Nevertheless, as already mentioned in the preceding part of the justification, these provisions did not authorize this body to order Poczta Polska S.A. "implementation of activities in the scope of counteracting COVID-19, consisting in undertaking and carrying out the necessary activities aimed at preparing for holding the elections of the President of the Republic of Poland in 2020, in correspondence mode, in particular by preparing the organizational structure, providing the necessary infrastructure and acquiring the necessary material resources and staff". The provisions cited in the decision only authorized issuing orders in connection with counteracting COVID-19, and not such as those specified in the operative part of the decision, in the scope concerning the elections of the President of the Republic of Poland" (see the judgment of the Voivodeship Administrative Court of 15 September 2020, reference number VII SA/Wa 992/20 (...)).
The President of the UODO fully shares the positions of the administrative courts presented above and the comprehensive analysis they made of the legal status in force on the date of issue of the above-mentioned. decision of 16 April 2020 by the Prime Minister and on the date of transfer of personal data by the Minister of Digital Affairs to Poczta Polska S.A., the consequence of which is the necessary statement that in this case none of the premises from art. 6 sec. 1 of Regulation 2016/679 authorising the Minister of Digital Affairs to provide personal data to the Company and their acquisition and processing by the Company in order to carry out tasks related to the organisation of general elections for the President of the Republic of Poland called in 2020 were met.
24. However, the Company received and processed the personal data made available to it in the period from their transfer by the Minister on 22 April 2020 until their deletion (which took place on 15-22 May 2020). The fact of disclosing personal data and processing them took place despite the fact that neither the Minister nor the Company had a legal basis for doing so. It should be emphasized that in the analyzed factual situation it cannot be assumed that the grounds for validating the Minister's actions can be found in the then applicable provisions of the Act on Population Registration[6] (Article 46 paragraphs 1 and 2), which was the subject of a broader analysis by both the Provincial Administrative Court in its judgment of February 26, 2021 and the Supreme Administrative Court in its judgment of March 13, 2024, and the relevant fragments of the justifications in this respect were indicated in Part II.B of this justification.
25. It should also be noted here that in the analyzed factual situation the supervisory authority does not have any doubts about the fact that both the Minister and the Company acted as the controller of the personal data in question. Having received personal data in connection with the application it had submitted, the Company independently took steps to assign it the function of data controller in accordance with Article 4, point 7 of Regulation 2016/679, including by determining the methods of processing personal data made available to it by the Minister. The President of the UODO also has no doubt that the data controller is the Minister of Digital Affairs as an authority, and not the person holding this position at the time the personal data were made available to the Company (i.e. on 22 April 2020).
26. Developing the last of the above statements, it should be emphasised that in Guidelines 07/2020[7] of the European Data Protection Board (hereinafter: EDPB), it was indicated that "The definition of controllership may result from legal provisions or an analysis of the elements of the factual situation or circumstances of the case". In light of the above, it should be emphasized that the principles of access to personal data processed within the PESEL register and the purposes for which such access may occur are specified in detail in the provisions of law, including the Population Register Act. These provisions clearly indicate that it is the minister responsible for computerization as a public administration body (and not the person currently holding this position) who ensures the maintenance and development of the PESEL register in order to perform the tasks specified in the Act (Article 6, paragraph 2 of the Population Register Act). The indicated provisions therefore determine that the status of the administrator is held by the Minister of Digital Affairs (the body) and it is he who is burdened with the obligations arising from the provisions of Regulation 2016/679. Consequently, it cannot be said in such a case that the actual actions of the person holding the ministerial position determine the determination of the entity with the status of the administrator, since it is the provision of law that grants the specific entity (administrator) the right to process personal data. Regardless of the above, it should be emphasized that the analysis of the factual circumstances in this case clearly shows that the administrator – primarily due to legal and actual access to the PESEL register – in the examined aspect is the Minister of Digital Affairs (authority). Therefore, even if the above-mentioned detailed legal provisions did not exist, the answer to the question of who is the administrator would be the same.
27. In accordance with the definition contained in Article 4(7) of Regulation 2016/679, the controller means a natural or legal person, public authority, agency or other entity which alone or jointly with others determines the purposes and means of processing personal data; where the purposes and means of such processing are determined by Union law or the law of a Member State, the controller may also be designated by Union law or the law of a Member State or specific criteria for its designation may be laid down. In the case of personal data contained in the PESEL register, which are the subject of this decision, the controller in the aspect under examination is the public administration body, i.e. the Minister of Digital Affairs, and not the natural person acting as the holder of that body.
28. Furthermore, the Guidelines 07/2020 indicate that "Sometimes companies and public authorities designate a specific person responsible for carrying out processing activities. Even if a specific natural person is designated to ensure compliance with data protection regulations, this person will not be the controller, but will act on behalf of the legal entity (company or public authority) that will bear ultimate responsibility in the event of a breach of the regulations as a result of acting as a controller."
29. Adopting a different position would result in the necessity to recognize that each time the person holding the function of a public administration authority (in this case the Minister of Digital Affairs) changes, the data controller would change. However, such an approach is not only contrary to the applicable provisions, as already indicated above, but also inadmissible from the point of view of the possibility of fulfilling the legal obligations of the administrator, due to the fact that then the person responsible for fulfilling the obligations of the administrator resulting from Regulation 2016/679 would not be the public administration body, but its custodian.
30. However, the custodian of a public administration body who has violated the provisions of the law, including the provisions on the protection of personal data, may be held criminally liable, e.g. in connection with exceeding his powers (including art. 107 sec. 1 of the Personal Data Protection Act). In addition, pursuant to the provisions of Chapter I, Section 5 of the Labour Code[8], he may be held financially liable for damage caused in an amount not exceeding the amount of three months' salary due to him on the day the damage was caused (Article 119 of the Labour Code), unless he caused the damage intentionally. In such a case, he is obliged to compensate for it in full (Article 122 of the Labour Code), which in practice allows the controller to enforce in such a case from the person (employee) responsible for the violation of personal data protection regulations the amount corresponding to the amount of damage suffered by the employer as a result of their intentional action (recourse liability). However, this decision is related to the administrative liability incurred by the data controller (Minister of Digitisation and the Company) for the violation of the provisions of Regulation 2016/679. However, as indicated, the personal data controller has legal means that allow him to pursue legal and financial liability – in particular in civil recourse proceedings, or by bringing the person guilty of violating the provisions on the protection of personal data to criminal liability for their violation. The President of the UODO is of the opinion that in order to ensure effective protection of personal data, effective mechanisms for pursuing liability for their violation by controllers are necessary, including in relation to the controller's employees, including persons employed in the structure of the controller on the basis of appointment as holders of an authority. However, this liability should be pursued in the appropriate procedures indicated above.
II. Determination of the invalidity of the PRM Decision of 16 April 2020 and the ineffectiveness of the Minister's action of 22 April 2020 consisting in providing the Company with personal data from the PESEL register.
II.A. Declaration of invalidity of the PRM Decision of 16 April 2020
31. In the justification of the judgment of 15 September 2020 (reference number VII SA/Wa 992/20), the WSA indicated in particular: - "(...) the only highest electoral body of the Republic of Poland authorized to take any actions related to the general elections was, on the day of issuing the contested decision, the National Electoral Commission [National Electoral Commission - own note], and not the Prime Minister. The NEC's competences had not been - until the date of issuing the contested decision - in any legal manner granted to another public body or entity.
Issuance by the Prime Minister on 16 April 2020 of the contested decision, instructing Poczta Polska S.A. to take actions - which by law were solely within the competence of the NEC and the KBW [of the National Electoral Office – own note] – and consisting in undertaking and implementing the necessary activities aimed at preparing for the holding of the elections of the President of the Republic of Poland in 2020, in the correspondence mode, in particular by preparing the organizational structure, providing the necessary infrastructure and acquiring the necessary material resources and staff, thus constituted a gross violation of the above-mentioned provisions of the Electoral Code.
At the date of the ruling by the Prime Minister in the contested decision, there was no provision of statutory rank that would exclude the application of Article 157 § 1 in connection with Article 187 § 1 and § 2 of the Electoral Code, granting the powers of the National Electoral Commission to any other public administration body. In this respect, it cannot be legally validly claimed that such a provision was Article 11 par. 2 in connection with Article 11 par. 2a, par. 3 of the Act of 2 March 2020 on special solutions related to the prevention, counteracting and combating of COVID-19, other infectious diseases and crisis situations caused by them".- "Although on 6 April 2020 the Sejm of the Republic of Poland passed the Act on special rules for conducting general elections for the President of the Republic of Poland called in 2020, providing for elections to be held exclusively by correspondence, this Act did not receive the support of the Senate of the Republic of Poland, which on 5 May 2020 moved to reject it. However, the Sejm rejected the Senate resolution, and the President of the Republic of Poland signed the Act, but only on 8 May 2020. This Act entered into force on 9 May 2020".- "(...) appointed by the Prime Minister in the decision, as the legal basis of Art. 11 sec. 2 in conjunction with Art. 11 sec. 2a, sec. 3 of the Act of 2 March 2020 on special solutions related to the prevention, counteracting and combating of COVID-19, other infectious diseases and crisis situations caused by them to issue orders to specific entities clearly stated that these orders were to be in connection with counteracting COVID-19. However, these provisions did not authorise the Prime Minister to commission activities aimed at preparing for the holding of elections to Poczta Polska, and as a result to actually change the applicable law (the Electoral Code Act) by issuing a decision on the undertaking and implementation by any entity other than the National Electoral Office of the necessary activities aimed at preparing for the holding of the elections of the President of the Republic of Poland in 2020, and in a manner not provided for by the Act, i.e. in "correspondence mode"«.
32. In the justification of the judgment of 28 June 2024 (reference number III OSK 4524/21), the Supreme Administrative Court stated in particular that:- »(...) Article 11 paragraph 2 of the Covid Act could not constitute the exclusive and independent legal basis for the Prime Minister to issue an order to Poczta Polska to "undertake and implement the necessary actions aimed at preparing for the elections of the President of the Republic of Poland in 2020 by correspondence". When issuing the decision, the body did not refer to any provision of law based on which the substantive legal basis of the order issued to Poczta Polska could be reconstructed. Neither the Court of First Instance nor the Supreme Administrative Court find a legal basis for issuing an order to Poczta Polska obliging it to take actions aimed at preparing for the presidential elections by correspondence. The fundamental reason for such a categorical assessment is the fact that on the date of the decision of 16 April 2020, there was no legal basis in force that would allow the elections of the President of the Republic of Poland in 2020 to be held solely by correspondence, and if so, then by definition there could not be a legal basis for issuing an order that would oblige to take steps to prepare for their conduct«.-» (…) the National Electoral Office, which serves the National Electoral Commission, has the exclusive competence to take actions related to the organisation and conduct of the presidential elections. This National Electoral Office is to take all necessary actions to ensure that the electoral authorities have appropriate conditions and the organisational, personal, technical and financial resources necessary to conduct the elections. The issuance of an order requiring Poczta Polska to "undertake and implement the necessary actions aimed at preparing for the holding of the elections of the President of the Republic of Poland in 2020, in correspondence mode, in particular by preparing the organizational structure, providing the necessary infrastructure and acquiring the necessary material resources and staff" clearly interferes with the competences of the National Electoral Office. It is not Poczta Polska, but the National Electoral Office that has the legal authority to ensure the conditions necessary for holding the elections.
II.B Determination of the ineffectiveness of the Minister's action of 22 April 2020 consisting in providing the Company with personal data from the PESEL register.
33. In the judgment of the Regional Administrative Court of 26 February 2021 (reference number IV SA/Wa 1817/20), this Court found that the above-mentioned contested action was defective because it was undertaken in breach of Article 104 of the Constitution by the Minister. 99 of the Personal Data Protection Act. In the justification of this judgment, the Regional Administrative Court indicated in particular that: - "The acceptance that art. 99 of the Personal Data Protection Act, in principle, constituted the basis indicated in art. 6 sec. 3 of the GDPR for the processing of data for the purposes indicated in art. 6 sec. 1 letters c and e of the GDPR did not, however, release the administrator of the PESEL register (...) from the obligation to exhaustively examine the conditions and scope of permissible processing (i.e. making the data available to the Participant)". - "(...) the reconstruction by the Authority [the Minister - author's note] of the legal norm, which is to result from art. 99 of the Personal Data Protection Act, necessary to determine the precise scope of the rights of the Participant [the Company - author's note] and the competences of the Minister, which could possibly be implemented on the basis of art. 99 of the Personal Data Protection Act, could not be based on the assumption that the provision this independently and arbitrarily, i.e. in isolation from other regulations of the legal system, authorized the Authority to provide the Participant with data from the PESEL register, or that a sufficient basis for providing this data could be, in particular: 1) the Participant's mere declaration that these data are needed to carry out tasks related to the organization of the elections of the President of the Republic of Poland (or a hypothetical declaration that these data are needed to perform other obligations imposed by government administration bodies), possibly; 2) the issuance by the President of the Council of Ministers, on the basis of art. 11 sec. 2 in connection with art. 11 sec. 2a and 3 of the Act of 2 March 2020, of a decision of [...] April 2020, reference number [...], instructing the Participant to carry out activities in the field of counteracting COVID-19, consisting in undertaking and implementing the necessary activities aimed at preparing for the holding of general elections for the President of the Republic of Poland Poland in 2020 in correspondence mode.
(…) the legality of providing the Participant on [...] April 2020, on the basis of Article 99 of the Personal Data Protection Act, with personal data from the PESEL register maintained by the Authority, concerning living Polish citizens who came of age on 10 May 2020 and whose country of residence is Poland, was strictly dependent on the Authority establishing that on that date the Participant had statutory competences to perform such tasks related to the organization of the elections of the President of the Republic of Poland, which justified having the aforementioned data at their disposal, or that the Participant had any other obligations imposed by government administration bodies at that time, which would also justify having the Participant have the data from the PESEL register at their disposal.
This means that when reconstructing the norm resulting from Article 99 of the Personal Data Protection Act, The body was obliged to take into account in particular the provisions regulating, on the date of the contested action, the principles of conducting elections of the President of the Republic of Poland and the competences and tasks of the Participant, if any, provided for therein". - "(...) The body which received the Participant's application for disclosure of data from the PESEL register, pursuant to art. 99 of the u.s.i.w., necessary for the performance of tasks related to the organisation of elections of the President of the Republic of Poland or for the purpose of performing other obligations imposed by government administration bodies, should have determined, based on the applicable legislation, that: 1) the Participant is not entitled to any competences (tasks) in the scope of the organisation of elections of the President of the Republic of Poland, the performance of which would require the provision of the above-mentioned data, 2) no other obligations were imposed on the Participant that would require such disclosure. This means that the statutory conditions for disclosing data from the PESEL register to the Participant, provided for in art. 99 of the Act on Social Insurance Institutions, were not met." - "It should be recognized that on [...] April 2020, the Participant did not meet any of the conditions entitling him to obtain from the PESEL register data on living Polish citizens who came of age on 10 May 2020 and whose country of residence is Poland. Accordingly, (i) the Participant did not meet the requirements for the mandatory obtaining of data specified in art. 46 sec. 1 points 1 - 6 of the Act on Social Insurance Institutions, because he was not any of the entities listed in points 1 - 3 and 6, and even if we assume that as a sole-shareholder company of the State Treasury, he is a state organizational unit referred to in point 6, he did not prove that these data were necessary for him to perform public tasks specified in separate provisions; (ii) the Participant did not meet the conditions for optionally obtain the data specified in art. 46 sec. 2 points 1-5 u.e.l., in particular it did not prove that at the date of disclosure it had any own interest, i.e. concerning the sphere of its rights and obligations as a legal entity (and not related to the possible performance of public duties), in obtaining data concerning living Polish citizens who came of age on 10 May 2020 and whose country of residence is Poland".
34. In turn, the Supreme Administrative Court in its judgment of 13 March 2024 (reference number II OSK 1630/21) stated in particular that: - "P. S.A. [Company - own note] in its application for disclosure of data from the PESEL register, invoking the right arising from art. 99 of the Act, indicated that "the data are needed and will be used solely for the purpose of carrying out tasks related to the organisation of the elections of the President of the Republic of Poland". The Minister of Digital Affairs was therefore obliged to verify this application, namely whether this application was justified by the implementation of tasks related to the organisation of the elections. This, in turn, resulted in the need for another verification, this time of whether the designated operator had the competence to carry out tasks related to the organisation of the elections, because Art. 99 of the Act of 2020 alone cannot be considered the source of such competence (such competences). These sources should be sought in the provisions of electoral law (in the Electoral Code or in special provisions). If there were no appropriate provisions in the legal order in force on the date of consideration of the application granting P. S.A. competences related to the organization of the elections of the President of the Republic of Poland, thus the application in question should not be taken into account«.- “First of all, the provisions of the Act - Electoral Code did not provide for the necessity for the designated operator within the meaning of the Act - Postal Law to process personal data to carry out tasks related to the organization of the elections of the President of the Republic of Poland”.- “Therefore, if the legislator considered that there was a need to introduce, in these undoubtedly extraordinary circumstances, the necessary legal regulation providing for the designated operator to carry out tasks, mainly of a technical nature, related to the organization of the elections of the President of the Republic of Poland, which would also justify the processing of data from the PESEL register for the purposes of carrying out these tasks, such regulation could be introduced into the legal order by way of an act. Only then could a positive regulation in this matter constitute a basis for proceedings based on art. 99 of the Act of 2020 [u.s.i.w. - own note]”- “On the day of undertaking the contested action, there were no other provisions of statutory rank providing for the operator designated substantive (statutory) competence to process personal data for the purposes of carrying out tasks related to the organization of the elections of the President of the Republic of Poland. In particular, they are missing in the Act of 2020 and in the Act of 2 March 2020 on special solutions related to the prevention, counteracting and combating of COVID-19, other infectious diseases and crisis situations caused by them (...)". - "The decision contained in this decision [Decision of the Prime Minister of 16 April 2020 - own note] does not indicate the need for the company to process personal data from the PESEL register in connection with the order to take these actions". - "The allegation that the Court of First Instance violated Article 46 paragraph 2 item 1 of the Act on Population Registration due to the incorrect interpretation of this provision is not justified. It provides for the possibility of disclosing data from the PESEL register and the register of residents to individuals and organizational units if they demonstrate a legal interest in doing so. In explaining the legal basis for its ruling, the court referred, and rightly so, to the legal regulation contained in art. 46 sec. 1 and 2 of the Act on the Population Register, stating that in its assessment it cannot be assumed that the lack of grounds for disclosing data from the PESEL register based on art. 99 of the Act of 2020 can be cured by demonstrating that the designated operator within the meaning of the Postal Law meets the requirements for disclosing data from the register on general principles. In relation to the possibility of optional disclosure of data under art. 46 sec. 2 point 1 of the Population Registration Act stated that the company in its application did not refer to the existence of its own, individual legal interest in the scope of its rights or obligations to process data from the register, but to the performance of tasks of a public nature. However, when submitting the application, the company did not act as an "external entity", but as an authority in the functional sense, and as demonstrated - without competence (sufficient statutory authorization) to perform tasks related to the organization of elections.
III. Assessment of the President of the UODO.
35. As already indicated, the list of conditions for the admissibility of personal data processing, contained in Art. 6 sec. 1 of Regulation 2016/679, is enumerative (it is a closed list), and each of them has an equal, autonomous and independent character. For the legality of the data processing process (each activity constituting their processing), it is therefore necessary and sufficient to meet one of them.
36. At the same time, taking into account the constitutional rule of law (Article 7 of the Constitution of the Republic of Poland), it is reasonable to assume that the legality of the analysed actions of the Minister should be verified primarily in the context of meeting the conditions for the admissibility of data processing specified in Article 6 paragraph 1 letter c) of Regulation 2016/679. Due to the fact that the assessed data processing process by the Company was to serve the implementation of specific tasks in the public sphere, which the Company was to be obliged to undertake by the Decision of the Prime Minister of 16 April 2020, it also requires verification first of all from the point of view of meeting the requirements specified in the aforementioned provision.
37. At the same time, the decisive factors from the point of view of assessing the legality of the analysed actions of the Minister and the Company in the context of the provisions on personal data protection are the decisions contained in the court judgments described above, i.e. in the judgment of the Voivevodship Administrative Court of 15 September 2020 (reference number VII SA/Wa 992/20) declaring the invalidity of the Decision of the PRM of 16 April 2020, upheld by the above-mentioned judgment. in the judgment of the Supreme Administrative Court of 28 June 2024 (reference number III OSK 4524/21) and in the judgment of the Regional Administrative Court of 26 February 2021 (reference number IV SA/Wa 1817/20) determining the ineffectiveness of the action of the Minister of 22 April 2020 consisting in providing the Company, from the PESEL register, with personal data of living Polish citizens who became of age on 10 May 2020 and whose country of residence is Poland, as issued in violation of the provisions of the law in force on the date of its execution, upheld by the above-mentioned judgment of the Supreme Administrative Court of 13 March 2024 (reference number II OSK 1630/21). Expressed in the above-mentioned In the judgments of administrative courts, the legal assessment of the actions of the Prime Minister and the Minister of Digital Affairs clearly also affects the assessment of the Company's actions (which are a consequence and implementation of the Decision of the Prime Minister of 16 April 2020) and results in the necessity to recognise that the analysed processing of personal data by the Minister (consisting in making them available to the Company), as well as the processing of these data by the Company (in a manner consisting in obtaining them from the Minister and subjecting them to further processing for purposes related to the organisation of general elections for the President of the Republic of Poland ordered in 2020, which process finally ended with the deletion of these data) was not based on Article 6 paragraph 1 of Regulation 2016/679.
38. Considering that the aforementioned judgments found the invalidity of the decision of the Prime Minister of 16 April 2020, imposing on the Company obligations in the area of carrying out the necessary activities aimed at preparing to hold elections by correspondence, and the ineffectiveness of the activities of the Minister of Digital Affairs aimed at ensuring the Company the possibility of carrying out these obligations - i.e. providing the Company with personal data from the PESEL register, as an activity infringing the provisions of the law, it should be considered that the assessed data processing activities (their disclosure by the Minister to the Company and their acquisition by the Company and subjecting them to further processing for the purposes of organising the elections) were not supported by Art. 6 sec. 1 letter c) of Regulation 2016/679. The findings and legal assessments of the administrative courts indicated in the above judgments oblige us to assume that since on the date of implementation of the above data processing activities, there was no competence standard on the part of the Company authorizing it to act in the area of preparing the elections of the President of the Republic of Poland, then the disclosure of the data in question by the Minister to the Company and their acquisition and further processing by the Company for the purposes related to the preparation of these elections cannot be considered as processing activities carried out in order to fulfill the obligations incumbent on the above-mentioned administrators, nor necessary from the point of view of fulfilling these obligations.
39. For the reasons given, being bound by the positions of the administrative courts expressed in the above-mentioned judgments and the comprehensive analysis made by them of the legal status in force on the date of issue of the PRM Decision of 16 April 2020 and on the date of transfer of personal data by the Minister to the Company (their acquisition by the Company from the Minister), and thus fully sharing them, the supervisory authority determined that in this case the premise of Article 6 paragraph 1 letter a) was not met. c) Regulation 2016/679 authorizing the disclosure of personal data by the Minister to the Company and their acquisition and processing in the period from 22 April 2020 to 15-22 May 2020 by the Company in order to carry out tasks related to the organization of the general elections for the President of the Republic of Poland called in 2020.
40. For the same reason, the analyzed processing activities (disclosure of data from the PESEL register by the Minister and their acquisition and further processing by the Company) cannot be assessed as legal under the conditions specified in Art. 6 sec. 1 lit. e) Regulation 2016/679. In both cases regulated by this provision – i.e. both in a situation where data processing is necessary for the performance of a task carried out in the public interest and when it is necessary in the exercise of official authority vested in the controller – the task and the exercise of official authority must be specified in the provisions referred to in Art. 6 sec. 3 of Regulation 2016/679. Meanwhile, in the case under examination – in the light of the cited judgments of the administrative courts – such regulations did not exist. It is secondary in this situation that basing the processing on the basis of Art. 6 sec. 1 letter e) of Regulation 2016/679 involves granting persons whose data are to be processed additional, specific rights regulated in Art. 21 of Regulation 2016/679. According to this provision, the data subject is entitled to object, for reasons related to his/her particular situation, to the processing of personal data concerning him/her. The objection results in the controller no longer being able to process this personal data, unless he/she demonstrates the existence of important legitimate grounds for processing, overriding the interests, rights and freedoms of the data subject, or grounds for establishing, pursuing or defending claims. In the case at hand, it is obvious that the actions of the Minister and the Company were not related – even in their assumptions – to the intention to examine the validity and respect for any position of the data subjects towards their processing, expressed in the form of an objection.
41. For the sake of order, it should be noted that the assessed processing activities were also not supported by Article 6 paragraph 1 letter d) of Regulation 2016/679 (necessity of data processing to protect the vital interests of the data subject or another natural person). Even if we were to assume that the actions of the Minister and the Company were to serve the implementation of the vital interests of the data subjects (undefined precisely goals in the scope of protecting their life and health), then in the absence of competence regulations on the part of the indicated administrators in the scope of implementing activities related to the organization of elections, and at the same time the lack of specific competences regarding health protection, it is obvious that the above-mentioned premise could not be met in the case at hand. Respecting the independent, autonomous nature of the premises for the admissibility of data processing cannot lead to conclusions that would be in conflict with the constitutional principle of the legality of the actions of public authorities. This authority cannot therefore go beyond the scope of competences defined by law, referring to the needs related to the protection of the vital interests of the data subjects. On the one hand, it seems reasonable to assume that the entire organization of the state - in its public sphere - is to serve the broadly understood, vital interests of citizens. On the other hand, without a doubt, certain state structures, as well as certain private sector entities, are dedicated to achieving goals in the area of protecting life and health, and neither the Minister nor the Company are among them. Finally, the organization of elections, also in a special period - due to the pandemic situation - does not in itself directly serve the protection of life or health. It is impossible to deny the need and justification for a discussion on possible, adequate modifications in the area of implementing the electoral procedure in a situation where the election date fell during the pandemic period, nevertheless the main goal of the actions of the Minister and the Company was to prepare the elections, and not actions to protect the vital interests of data subjects in the area of their health. For this reason, it is impossible to consider the criterion of the necessity of the analyzed data processing process (their disclosure by the Minister and acquisition by the Company) for the implementation of the vital interests of data subjects (in the area of protecting their life and health) as met. According to the position presented in the literature on the subject, the concept of the necessity of data processing from the point of view of protecting the vital interests of data subjects, quote: "(...) should be understood in a similar way as under the provision of Art. 6 sec. 1 letter b. It therefore means that data processing for the protection of the vital interests of the data subject or another natural person must be, reasonably assessed, necessary (...) there must be a direct relationship between the protection of the vital interest and the need to process personal data." (D. Lubasz, W. Chomiczewski [in:] GDPR. General Data Protection Regulation. Commentary, ed. E. Bielak-Jomaa, Warsaw 2018, art. 6). It is also emphasized that, quote: "In order to base data processing on the premise in question, it should be necessary to protect the vital interests of the person, i.e. failure to process the data could lead to a threat or infringement of the vital interests of that person. The decision as to whether data processing is necessary should be made individually, in a specific case, taking into account the actual circumstances of data processing" (P. Fajgielski [in:] Commentary to Regulation No. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [in:] General Data Protection Regulation. Personal Data Protection Act. Commentary, 2nd ed., Warsaw 2022, art. 6).
42. The lack of the other conditions for the admissibility of data processing in the case under examination does not require a broader justification. The data processing process in question was supposed to be carried out in the exercise of public authority. Undoubtedly, the data processing justified by the need to prepare elections did not involve the acceptance of the possibility for data subjects to make individual decisions regarding the admissibility of such data processing activities or to determine their conditions. It is therefore obvious that the data processing activities in question were not carried out under the conditions specified in Article 6 paragraph 1 letter a) (based on the consent of the data subjects) or Article 6 paragraph 1 letter b) of Regulation 2016/679 (as necessary for the performance of a contract to which the data subject is a party or for taking action at the request of the data subjects before concluding a contract).
43. It is also excluded that the contested processing of personal data was based on Article 6 paragraph 1 letter f) of Regulation 2016/679. This premise cannot even theoretically be analyzed as the basis for the data processing process under review in the scope in which it was implemented by the Minister (providing personal data for the Company) – due to the regulation contained in art. 6 sec. 1 in fine.
44. The finding that the personal data processing process under review by the Minister and the Company was implemented despite the lack of a legal basis under art. 6 sec. 1 of Regulation 2016/679 is related to the finding that the indicated administrators also violated art. 5 sec. 1 letter a) of the aforementioned legal act – violating the principle of legality, reliability and transparency expressed therein.
45. In the circumstances in which the Minister and the Company unauthorised processing of a particularly extensive set of personal data from the PESEL register took place, the need for which was justified by referring to the ongoing pandemic and the need to protect the most important assets from the point of view of citizens – i.e. their life and health (this was the justification for the activities aimed at preparing for the elections to be held by correspondence), the weight and significance of the data quality rules, including the above-mentioned rule, and the need to respect it seem particularly significant. As indicated in the literature on the subject, quote: "The obligation to process data fairly means that the controller should not (...) take advantage of his [the data subject's] difficult situation, limitations or forced position, take advantage of his stronger position by imposing onerous conditions for data processing, and should respect the will and interests and legitimate expectations of the data subject" (P. Fajgielski [in:] Commentary to Regulation No. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [in:] General Data Protection Regulation. Personal Data Protection Act. Commentary, 2nd ed., Warsaw 2022, art. 5).
46. It should be noted here that the principle of legality, formulated in Article 5 paragraph 1 letter a) Regulation 2016/679 (which is one of the basic principles of personal data processing), "(...) also referred to as the lawfulness of data processing, means the requirement to comply with the standards established in the provisions of law. The principle of compliance of data processing with the law has a wide substantive scope, and it concerns not only the provisions of the commented regulation, but also the provisions contained in other normative acts. (...) Among the provisions concerning data processing, a special role is played by the requirements relating to the compliance of processing with the law (also referred to as the so-called grounds for the admissibility of data processing or conditions for the lawfulness of data processing), specified in the provisions of Art. 6, 9 and 10 of the commented regulation. These provisions indicate cases where data processing is legally permissible (to put it simply: when personal data can be lawfully processed)" (P. Fajgielski [in:] Commentary to Regulation No. 2016/679 on the protection of natural persons in connection with with the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [in:] General Data Protection Regulation. Personal Data Protection Act. Commentary, 2nd ed., Warsaw 2022, art. 5).
47. When analysing the case at hand, it is crucial to emphasise and clearly state that the fact of unjustified disclosure of personal data from the PESEL register and their processing by the Company threatened the proper implementation of the rights of citizens under the Constitution of the Republic of Poland of 2 April 1997 (Journal of Laws No. 78, item 483, as amended). This is particularly important, as in accordance with Art. 47 of the Constitution of the Republic of Poland, every person has the right to legal protection of private and family life, honour and good name, and to decide about their personal life. It should be noted that the right to privacy is one of the fundamental human rights, and its protection is a fundamental element of the system of values. At the same time, the effects of violations of unauthorized access to information may be claimed under the provisions of civil, criminal and administrative law. The Court of Appeal in Warsaw also commented on this matter in its judgment of 19 November 2019, file ref. Act VI ACa 397/18, indicating that "The right to privacy in the light of constitutional regulations is understood primarily through the prism of the autonomy of the individual derived from the concept of dignity of the human person, which, in the light of art. 30 of the Constitution of the Republic of Poland, constitutes the source of all rights and freedoms. The right to the protection of private life, which is the subject of protection under art. 47 of the Constitution of the Republic of Poland, means the right of the individual to decide about his or her personal life. The individual, as a subject endowed with autonomy of will, has the right to independently determine the area of his or her privacy, in particular to set the limits of access to his or her personal life and information about it for others. The right to privacy in the aspect of the information autonomy of the individual means the right to decide which information concerning him or her will be available to third parties". In correlation with the above provision is also art. 51 of the Constitution of the Republic of Poland, according to which every citizen has the right to the protection of personal data. According to the Court of Appeal in Warsaw (judgment of 23 August 2018, file reference VI ACa 1927/16), "The right to personal data protection is an emanation of the right to information autonomy, allowing an individual to control, to a certain extent, the manner and scope of information concerning them that is made available. In the event of its infringement, depending on the specific circumstances of the case, it may result in an infringement of certain personal rights, subject to a separate regime, protected by the provisions of the Constitution, as well as in particular within the framework of the regulations of Art. 23 and 24 of the Civil Code."
48. It is worth citing here the statements of the Supreme Administrative Court, which, considering the issue of the ineffectiveness of the Minister's action in question, in the aforementioned judgment of 13 March 2024 referred directly to constitutional principles: "The protection of citizens' personal data, including their data contained in the universal electronic population registration system (PESEL register), in which basic data identifying the identity and administrative and legal status of natural persons are collected, has a strong foundation in constitutional provisions and EU law. It is emphasized in the case law and doctrine that there is an inseparable link between the right of persons whose data is processed to the protection of such data with the right to privacy, a value protected under Art. 47 of the Constitution of the Republic of Poland. In relations with public authorities, this provision should be treated as a principle, from which exceptions are only permissible if they meet the requirements specified in Art. 31 sec. 3 of the Constitution (cf. M. Wild [in:] Constitution of the Republic of Poland Commentary, ed. M. Safjan and L. Bosek, Volume I Wydawnictwo C.H. Beck Warszawa 2016, p. 1174). In accordance with art. 51 sec. 2 of the Constitution, public authorities may not obtain, collect and make available information about citizens other than that necessary in a democratic state ruled by law. The Constitutional Tribunal, emphasizing the importance of the right to privacy, recognizes that this right - like other rights and freedoms of an individual - is not absolute and may be subject to limitations. However, it is necessary for these limitations to be formulated in a way that satisfies constitutional requirements (see the judgment of the Constitutional Tribunal of 24 June 1997, ref. no. K 21/96, OTK 1997/2/23). This means that a limitation of the right to privacy manifested in the disclosure by the administrator of information about citizens (personal data) may only occur when another clearly defined norm, principle or value supports it constitutional, and the degree of this limitation is in appropriate proportion to the importance of the interest that this limitation is to serve”.
49. To sum up the arguments analysed above, it should be clearly emphasised that the Minister and the Company, by unjustifiably – respectively – disclosing and processing personal data from the PESEL register, processed personal data contrary to the applicable provisions of law, and therefore in breach of the provisions, i.e. art. 6 sec. 1 of Regulation 2016/679, and consequently in breach of the principle of legality, expressed in art. 5 sec. 1 letter a) of Regulation 2016/679.
IV. Response to the Company's letters received by the President of the Personal Data Protection Office on February 26 and 27, 2025
50. After receiving a letter informing it that the President of the Personal Data Protection Office had conducted an administrative proceeding, as a result of which he had collected evidence sufficient to issue a decision in the case in question (which took place on February 19, 2025), the Company submitted two letters: the first was received by the Personal Data Protection Office on February 26, 2025, and the next one – one day later.
IV.A. Response to the Company's letter received by the President of the Personal Data Protection Office on February 26, 2025
51. In the letter received by the President of the Personal Data Protection Office on February 26, 2025 (hereinafter referred to as the "letter of February 26, 2025"), the Company, represented by its attorney, indicated that in its opinion the proceedings conducted in this case had not yet collected the necessary evidence, as a result of which the supervisory authority failed to establish the entirety of the factual circumstances, in accordance with Article 7 of the Code of Administrative Procedure (hereinafter also referred to as the "KPA"), Article 77 § 1 of the KPA and Article 80 of the KPA (to which the President of the Personal Data Protection Office will refer in further points of this Part IV.A) and in connection with this, it filed a number of applications.
52. First, the Company requested an extension of the proceedings pursuant to Article 35 k.p.a., by at least 30 days, due to the particular complexity of the case, as well as the extensiveness of the material that needs to be analyzed. In the Company's opinion, this is indicated, for example, by the change of opinion in the case in question by the President of the UODO, whereby it referred to the position of the supervisory authority published in April 2020 on the website of the President of the UODO, to decisions to discontinue the proceedings (as it should be assumed, the Company referred here to proceedings initiated by individual complaints, culminating in the issuance of a decision in the period preceding the final conclusion of the cases in which the judgments of the Provincial Administrative Court and the Supreme Administrative Court were issued, described in points 11 and 12 of this decision), and then to this year's statement of the President of the UODO, in which he stated "there is no doubt that a breach of data protection occurred in this case". 53. The application referred to in point 52 above should, in the opinion of the supervisory authority, be deemed devoid of any basis. According to Article 35 § 1 of the Code of Administrative Procedure, public administration bodies are obliged to deal with matters without undue delay. Matters that can be considered based on evidence presented by the party together with the request to initiate proceedings or based on facts and evidence that are generally known or are known ex officio to the body before which the proceedings are conducted, or can be determined on the basis of data available to that body, should be dealt with immediately (§ 2). In turn, a matter requiring explanatory proceedings should be dealt with no later than within one month, and a particularly complicated case – no later than within two months from the date of initiation of the proceedings, and in appeal proceedings – within one month from the date of receipt of the appeal (§ 3). 54. As indicated in the literature concerning Article 35 of the Code of Administrative Procedure: "The purpose of the provisions in question is to ensure quick and efficient handling of cases. In accordance with the general principle contained in Article 12, administrative bodies should act in a thorough and prompt manner in a case. (...) The term "without undue delay" does not mean that the case should be handled immediately, but as quickly as possible. An employee of the body cannot therefore postpone handling the case until the expiry of the statutory deadline for handling it, but should handle it as soon as possible (R. Hauser, Deadlines for handling cases in the Code of Administrative Procedure in doctrine and court rulings, RPEiS 1997, No. 1, p. 1). (…) the body after (…) collecting and analysing the data in its possession should immediately decide on the matter" (P. M. Przybysz [in:] Code of Administrative Procedure. Updated Commentary, LEX/el. 2024, art. 35).
55. The deadlines specified in Article 35 of the Code of Administrative Procedure are the assumed maximum deadlines for resolving cases. The body examining the case strives to resolve it in the shortest possible time. In other words, it would not be justified to accuse the body of having resolved the case (resolved it with a decision) in a shorter time than the maximum, or of not extending the duration of the proceedings to the maximum provided for in Article 35 of the Code of Administrative Procedure – if it had previously had sufficient evidence to issue a decision. At the same time, the assessment of the level of complexity of the case – important from the point of view of determining the justification for extending the duration of the proceedings – is not made by the party. As indicated in the cited literature: »The particularly complicated nature of an administrative case may be justified due to the complex factual circumstances of the case, requiring a careful and thorough explanatory procedure, as well as due to the unclear legal status, requiring a careful interpretation of the provisions of the law or due to the precedent-setting nature of the decision. The classification of a given case as a "case requiring explanatory proceedings" or as a "particularly complex case" is the responsibility of the body conducting the proceedings" (A. Wróbel [in:] M. Jaśkowska, M. Wilbrandt-Gotowicz, A. Wróbel, Updated Commentary to the Code of Administrative Procedure, LEX/el. 2025, art. 35).
56. In the face of the final judgments of the administrative courts described in points 11 and 12 of this decision, which contain a binding assessment indicating the invalidity of the PRM Decision of 16 April 2020 and the ineffectiveness of the Minister's actions of 22 April 2020, there has been an obvious change in the legal situation from the point of view of the possibility of making a substantive assessment of the discussed actions of the Minister and the Company by the supervisory body and its only permissible direction. In this changed legal reality, the issuance of an administrative decision concerning the above-mentioned actions of the Minister and the Company and their consequences under the provisions on personal data protection has become possible, justified and necessary, and – it seems – socially expected – constituting an expression of the fulfilment of the legal obligation of the supervisory authority to ensure compliance with the provisions on personal data protection and to draw consequences for their violation. Taking into account the binding nature of the above-mentioned judgments and the fact that they determined the issue of the lack of legal justification for the Minister's actions consisting in providing the Company with certain categories of personal data from the PESEL register, and consequently the lack of legal justification for their acquisition and further processing by the Company, one cannot agree with the Company's arguments regarding the level of complexity of the administrative case being decided, or the scope and nature of the evidentiary material necessary to assess the compliance of these actions with the provisions on personal data protection. Taking into account that the decision is limited to assessing the admissibility of the above-mentioned actions on the basis of the provisions on the protection of personal data and its consequences, and its direction was somehow determined by the aforementioned judgments – which were also obviously available to the parties to these proceedings, it is also impossible to speak of the precedent-setting nature of the decision in this case, which would necessarily affect the length of the administrative proceedings preceding its issuance (as indicated by the Company in the next application discussed in point 58 of this decision).
57. In the context of the Company's arguments regarding the complexity or precedent-setting nature of the case, as well as the other applications contained in the letter of 26 February 2025, attention should also be paid to the principle associated with the aforementioned Article 35 of the Code of Administrative Procedure, i.e. the principle of speed and simplicity of the proceedings resulting from Article 12 of the Code of Administrative Procedure. This provision (in § 1) states that public administration bodies should act in a thorough and prompt manner, using the simplest possible means to resolve the matter, and matters that do not require the collection of evidence, information or explanations should be resolved immediately (§ 2). The doctrine indicates that "The principle of speed and simplicity of proceedings requires public administration bodies to act thoroughly and quickly, using the simplest possible means to resolve the matter (Article 12). The speed of administrative application of law is an operational value that promotes the realization of the rule of law. (...). The purpose of the principle in question is to lead to the quickest possible issuance of a decision, and therefore the principle in question also implements the postulate of reliability of administrative proceedings (reliability of issuing a decision). Unjustified refraining by the body from issuing a decision or evading the resolution of a case violates Article 12 § 1" (A. Wróbel [in:] M. Jaśkowska, M. Wilbrandt-Gotowicz, A. Wróbel, Updated Commentary to the Code of Administrative Procedure, LEX/el. 2025, Article 12). In the context of, among others, the Article already mentioned repeatedly in this decision, 170 p.p.s.a., which provides that a final judgment is binding not only on the parties and the court that issued it, but also on other courts and other state bodies, and in cases provided for in the Act, also on other persons, it should be emphasized that carrying out unnecessary activities in a situation where the supervisory body is bound by the judgments indicated in points 11 and 12 of this decision would be contrary to the principles of procedural economy.
58. In a letter dated 26 February 2025, the Company also filed an application under Article 10 § 1 of the Code of Administrative Procedure. to ensure that the party actually participates actively in the proceedings (by implementing the evidentiary motions from this letter) and, before issuing a decision, to set a deadline of at least 30 days for reviewing the complete files, which will enable the party to make a reliable and comprehensive statement on all the evidence and materials collected. The Company also indicated that in these proceedings the supervisory authority did not receive explanations from the party. In the Company's opinion, its letters submitted to the supervisory authority in other proceedings cannot be considered sufficient, and the party has the right to present its position in these proceedings. The case is of a precedent nature - an analogous issue has never been examined before, because there has never been an analogous case before. 59. This application (referred to in the previous point) should also not be accepted in the opinion of the President of the UODO, and when explaining the position adopted in this respect, the supervisory authority will also refer in a general manner to subsequent evidentiary applications described in the following points containing their citation.
60. In accordance with Art. 10 § 1 of the Code of Administrative Procedure, public administration bodies are obliged to ensure the parties' active participation in each stage of the proceedings, and before issuing a decision, enable them to express their views on the evidence and materials collected and the requests submitted. The Company took advantage of the opportunity to inspect the proceedings files twice: on January 23, 2025 and immediately after receiving the notification that the supervisory authority had collected evidence sufficient to issue a decision in this case: on February 21, 2025. After receiving this notification, the Company delivered two letters to the President: dated February 26, 2025, containing primarily evidentiary motions, and dated February 27, 2025, which contains the Company's position on the matter. Given the fact that the President of the UODO recognized that neither of these letters led to him obtaining information that would affect the assessment of the admissibility of the Minister disclosing personal data and the lawfulness of their further processing by the Company (which has already been assessed in a manner binding on the supervisory authority by the courts in the judgments described in points 11 and 12 of this decision), it is difficult to find any violation of Article 10 § 1 of the Code of Administrative Procedure. The regulations oblige the body conducting administrative proceedings to grant the party's request to take evidence only if the subject of the evidence is a circumstance that is relevant to the case (Article 78 § 1 of the Code of Administrative Procedure). The public administration body may not grant a request (§ 1) that was not submitted during the taking of evidence or during the hearing, if the request concerns circumstances already established by other evidence, unless they are relevant to the case (Article 78 § 2 of the Code of Administrative Procedure).
61. To put the above differently: the public administration body is obliged to grant the party's request to take evidence only if it finds that the subject of the evidence is a circumstance that is relevant to the case. In the doctrine, it is assumed that the assessment of whether the subject of the evidence is a circumstance that is relevant to the case or not belongs to the body, not to the party. This means that the body conducting the proceedings is not bound by the party's evidentiary requests. The authority is, however, bound in this respect by the provisions of substantive law, which constitute the basis for the decision[9]. Therefore, it will be up to the authority to decide whether to admit a given piece of evidence or not. There is no doubt that the authority should first consider whether a given circumstance, for which the evidence was called by the party, requires proof. According to the judgment of the Supreme Administrative Court of 4 August 2017 (ref. I OSK 1607/16, LEX no. 2345355), in each proceeding the authority is obliged to collect evidence that is relevant to resolving a given case and to make the necessary factual findings on that basis. However, the factual findings that are necessary to resolve the case are determined by correctly interpreted provisions of substantive law, and not the subjective conviction of the party. No authority conducting the proceedings is obliged to hear all the evidence requested by the party. The evidence indicated by the party may not be omitted only if the disputed facts relevant to resolving the case have not been explained. This means that only a failure to establish circumstances that are relevant to the case can be considered a breach of the rules of procedure, which could affect the content of the factual findings and, consequently, the content of the judgment concluding the proceedings in a given case.
62. The right of the party provided for in Article 78 of the Code of Administrative Procedure is subject to limitations due to the purpose and speed of the proceedings. The authority may not accept the request to take evidence if it is intended to prolong the case (judgment of the Supreme Administrative Court of 29 November 2016, file reference II GSK 3322/15, LEX No. 2230883).
63. For the sake of clarity, it should be noted that: "In the judgment of the Supreme Administrative Court in Lublin of 15 December 1995, SA/Lu 507/95, LEX No. 27107, it was stated that: "The subject of evidence must be a circumstance that has legal significance for resolving the case (Article 78 § 1 of the Code of Administrative Procedure), and therefore relates to the subject matter of the case and has legal significance for resolving the case" (A. Wróbel [in:] M. Jaśkowska, M. Wilbrandt-Gotowicz, A. Wróbel, Updated Commentary to the Code of Administrative Procedure, LEX/el. 2025, Article 78).
64. The President of the UODO considered the evidentiary motions indicated by the Company to be irrelevant to the case, because in his opinion the evidence collected in the case is sufficient to resolve it, and the authority is not obliged to take into account all of the party's motions. It should be emphasized that – in the context of the above-mentioned judgments of the administrative courts – the evidentiary activities requested by the Company serve to demonstrate circumstances that no longer require proof or circumstances that are irrelevant from the point of view of resolving the case in question. The supervisory authority has no basis to conduct any evidentiary activities regarding the legality of the disclosure – as part of activities aimed at preparing for the elections for the President of the Republic of Poland, which were to be held on 10 May 2020 – by the Minister of specific personal data from the PESEL register to the Company and their acquisition and further processing by the Company. The issue of the lack of legal grounds for the above-mentioned activities was unequivocally resolved (assessed) by the administrative courts, and this assessment, as has already been repeatedly emphasized in this decision, is binding on the supervisory authority. The position of the supervisory authority in the discussed scope is an obvious and necessary consequence of the discussed court decisions – therefore, the validity and direction of the resolution of the case in question by the supervisory authority cannot raise any doubts. It should be remembered that the scope of the resolution covered only the issue of the legal assessment of the admissibility of the aforementioned actions of the Minister and the Company in the context of the provisions on personal data protection. The above explains the reasons for which there are no grounds for taking into account the evidentiary motions submitted by the Company.
65. In the letter of 26 February 2025, the Company also requested that evidence be taken from documents in the form of files of all proceedings listed in the letter (...) of 12 February 2025 and in the annex thereto (178 proceedings), by attaching them to the files of these proceedings; or alternatively, enabling Poczta Polska S.A. to obtain access to the proceedings in question. The Company noted that in accordance with Article 73 § 1 of the Code of Administrative Procedure, the party has the right to inspect the case files, make notes, copies or extracts from them, and this right is also granted after the end of the proceedings. In the Company's opinion, since the supervisory authority considers it important for these proceedings to refer to the proceedings listed in the letter of 12 February 2025 (while also having access to them), the party to the proceedings should also have the opportunity to analyse them, especially in proceedings that may end with the imposition of a fine. The Company stated that the circumstance regarding the number of complaints received is clearly irrelevant, but what is important (apart from the number itself) is what was the subject of the complaints, what evidentiary proceedings were conducted, and finally - what the supervisory authority's decisions were. In the Company's opinion, these circumstances should be established during the evidentiary proceedings, with the parties being allowed to familiarise themselves with them.
66. The President of the UODO considered the conclusions indicated in the above point to be unfounded. When processing huge amounts of personal data on a daily basis, the Company should be aware that, in accordance with art. 83 sec. 2 letter e) of Regulation 2016/679, when deciding whether to impose an administrative fine and setting its amount, the supervisory authority shall, in each individual case, give due consideration to, among other things, any relevant previous infringements by the controller or processor. As will be demonstrated in the next part of this decision (see parts V.B and V.C), the President of the UODO acted in accordance with the above provision. It is obvious that in the case of each controller, all relevant infringements that have occurred on its side are taken into account, which means that infringements concerning the Minister were not taken into account when making a decision concerning the Company (and vice versa) – hence the Company’s request to include the files of proceedings to which the Minister was a party is completely unjustified. Similarly, attaching the files of the proceedings listed in the above is unjustified. letter dated 12 February 2025, which were conducted with the participation of the Company – it has knowledge of their course and decisions made and may at any time exercise its right under Article 73 § 1 of the Code of Administrative Procedure.
67. Also, the files of administrative proceedings (178) in individual cases listed in a general manner in the letter (...) dated 12 February 2025 were not in fact included in the files of these proceedings. These proceedings clearly concern strictly individual allegations made by individual complainants against the Minister or the Company and their related demands. The subjective and objective scope of these proceedings, as well as the stage at which they are currently located, are different. However, their common denominator is the factual situation underlying the initiated complaint proceedings – i.e. the activities of the above-mentioned administrators in the area of personal data of the complainants related to the procedure for preparing for the elections for the office of the President of the Republic of Poland, which were to be held on 10 May 2020. Regardless of the validity of the claims of individual complainants filed in individual administrative proceedings, the number of complaints initiating them indicates that a relatively large group of citizens identified specific damages on their side related to the above-mentioned activities in the area of organizing the elections, and at the same time is a measure of the social response to the above-mentioned activities.
68. In the following points (4 and 5) of its letter of 26 February 2025, the Company requested the taking of evidence from an expert opinion in the field of security regarding the security measures applied by Poczta Polska S.A. in relation to the data obtained, the security of the medium, the security procedures applied in the Company in relation to the medium, the regulation of access by natural persons, the actions taken by Poczta Polska S.A. in relation to the medium, the method of destroying the data medium as to its durability and completeness, as well as to take evidence from an expert in the field of IT to confirm that no data was saved on hard drives or in the computing cloud from the medium on which Poczta Polska S.A. obtained personal data in connection with the postal elections in 2020. However, both of these applications concern circumstances unrelated to the subject of this decision. The scope of the decision covered only the issue of assessing the legal admissibility of the actions of the Minister (consisting of making personal data from the PESEL register available to the Company) and the Company (i.e. obtaining and further processing of this data by it without legal justification) in the context of the provisions on the protection of personal data. In view of the above, the President of the UODO considered these applications of the Company to be completely devoid of justification. 69. In addition, in a letter dated 26 February 2025, the Company requested that evidence be taken in the form of testimonies from three witnesses (indicated in point 6 under letters a–c of this letter) regarding: the category of personal data obtained, the time of data processing, the scope of processing, the determination (quote:) “when and in what conditions” the processing was terminated, including the manner of destroying the medium with personal data, as well as the exercise of due diligence by Poczta Polska S.A. at each stage of processing.
70. Referring to the Company's application in the scope described in the previous point, it should be noted that the circumstances relevant to these proceedings result from the findings indicated in the judgments of the Provincial Administrative Court and the Supreme Administrative Court binding on the supervisory authority (referred to in points 11 and 12 of this decision), as well as from the documents collected in the files of these proceedings. Therefore, in the opinion of the President of the Personal Data Protection Office, none of the aspects to which the statements of the persons indicated in point 6 letters a – c of the aforementioned letter are supposed to relate requires taking such evidence to establish it to a degree sufficient to issue a decision. In a situation where, for example, the period of personal data processing by the Company can be determined to a degree relevant to these proceedings based on explanations provided by, for example, the Company itself (see points 6 and 10 of this decision), taking additional evidence on this occasion is unnecessary. This would also be contrary to the above-mentioned principles of economics of administrative proceedings – it would lead to their unjustified prolongation.
71. In the same point 6 of the letter of 26 February 2025 (in letter d), the Company requested taking evidence in the form of statements from another indicated witness on the following circumstances: procedures in force at Poczta Polska S.A. in the scope of personal data protection, cooperation with the President of the UODO in matters related to preparations for the postal elections in 2020, and other matters. However, as in the case of the applications described in point 69 of this decision, this application (within the scope of the above-mentioned procedures) also concerns circumstances unrelated to the subject of this decision. As already indicated above, the scope of the ruling covered only the issue of the assessment of the legal admissibility of the actions of the Minister (consisting in providing the Company with personal data from the PESEL register) and the Company (i.e. obtaining and further processing of such data by it without legal justification) in the context of the provisions on personal data protection. In turn, it is important from the point of view of art. 83 sec. 2 lit. f) of Regulation 2016/679 is the degree of cooperation with the supervisory authority in order to eliminate the infringement and mitigate its possible negative effects, and not the cooperation of a given entity in general. In the event that the Company considers "cooperation with the Authority in matters related to the preparation for the postal elections in 2020" to mean responding to requests addressed to it as part of the complaint proceedings conducted, it should be emphasized that cooperation with the supervisory authority in this sense is an obligation of every controller under Art. 31 of Regulation 2016/679, and failure to properly fulfil this obligation is sanctioned by the possibility of imposing an administrative fine under Art. 83 sec. 4 letter a) of the aforementioned Regulation. Therefore, even if the authority took into account the Company's previous cooperation with the President of the UODO (which, however, is not justified in the light of the provision of Article 83 paragraph 2 letter f) of Regulation 2016/679), this circumstance would be assessed neutrally and would have no impact on the penalty imposed in these proceedings - for which reason, the taking of evidence from the witness's testimony should be considered unnecessary, as it would not have had any impact on the way this case is resolved. Cooperation in order to eliminate the infringement should also be considered irrelevant, as the infringement was eliminated before the initiation of the administrative proceedings in question. In view of the above, the President of the UODO considered these applications of the Company to be completely unjustified.
72. In the last letter of point 6 (letter e) of the letter dated February 26, 2025, the Company requested that evidence be taken in the form of testimony from another designated witness regarding: the financial condition of Poczta Polska S.A. in the financial years 2020-2024 and the current situation, determining whether Poczta Polska S.A. has obtained benefits in connection with the processing of personal data in connection with the preparation for the postal elections in 2020, directly or indirectly. In the opinion of the President of the UODO, this request is unjustified. The circumstances for which the evidence requested by the Company was to be conducted were determined based on the evidence presented by the Company (financial statements for 2023) and – given the Company's failure to submit financial statements for 2024 – on information (facts) that were generally known and related to the Company's financial condition in that period. The latter information (facts that were generally known and therefore – in accordance with Art. 77 § 4 of the Code of Administrative Procedure – did not require proof) was largely presented in public by the Company itself or by a representative of the Ministry of State Assets exercising ownership supervision over the Company (their source is therefore undoubtedly also the Company itself). They are therefore credible and objective. Their analysis also leads to conclusions consistent with those that the Company would like to demonstrate to the President of the UODO – the need to moderate the penalty due to the financial condition of the Company and to take into account the circumstances of the lack of benefits that the Company would achieve in connection with the infringement. The President of the UODO took into account the poor financial condition of the Company in 2023-2024 (the Company's situation in earlier periods is, in the opinion of the President of the UODO, irrelevant to the case) as a circumstance that significantly mitigates the penalty at the stage of assessing the compliance of the amount of the penalty with the principle of proportionality (see point 150 of the justification). On the other hand, the President of the UODO also assessed the fact of the lack of benefits related to committing the infringement in favour of the Company, without treating it as an aggravating circumstance (see point 142 of the justification). In this situation, taking the evidence requested by the Company would not affect the content of the factual findings made by the President of the UODO and, consequently, the content of the ruling issued in this case (including the amount of the administrative fine imposed on the Company)[10].
73. In the next point of the letter of 26 February 2025, the Company requested, pursuant to Article 79 § 1 of the Code of Administrative Procedure, to be notified of the place and date of taking the evidence from witnesses, at the same time indicating that Poczta Polska S.A. intends to participate in the taking of evidence, including asking questions of witnesses, experts and parties and providing explanations. This request, in the context of the assessment made by the President of the UODO regarding the need to take this evidence, remains completely unfounded.
74. In point 8 of the aforementioned letter of 26 February 2025, the Company's attorney filed a motion under Article 89 § 1 and § 2 of the Code of Administrative Procedure to hold a hearing and notify him as the attorney of Poczta Polska S.A.
75. Pursuant to Article 89 of the Code of Administrative Procedure, a public administration body shall hold a hearing, ex officio or at the request of a party, in the course of the proceedings, in each case when this will ensure the acceleration or simplification of the proceedings or when required by law (§ 1). The body should hold a hearing when there is a need to reconcile the interests of the parties and when it is necessary to clarify the case with the participation of witnesses or experts or by means of an inspection (§ 2). First, analyzing the premises from paragraph 2 of the aforementioned article, it should be noted that the need to reconcile the interests of the parties occurs when "at least two parties with conflicting interests are involved in the case, which the authority should reconcile (E. Iserzon [in:] Commentary, 1970, p. 182; compare the judgment of the Supreme Administrative Court in Warsaw of 19 December 1983, I SA 806/83, LEX no. 1689-118" (A. Wróbel [in:] M. Jaśkowska, M. Wilbrandt-Gotowicz, A. Wróbel, Updated Commentary to the Code of Administrative Procedure, LEX/el. 2025, art. 89). This is not the situation we are dealing with in this case. Moreover (as already explained above), the President of the UODO did not find any grounds to consider it justified to hear witnesses or experts. In the situation in question, the premises of paragraph 2 of the aforementioned provision. The President of the UODO took the position that in the case in question, the premises of Article 89 § 1 of the Code of Administrative Procedure were not met either. As indicated in the doctrine: "A public administration body is obliged to hold a hearing when this will accelerate or simplify the proceedings. The assessment of whether holding a hearing will contribute to accelerating or simplifying the proceedings is up to the body conducting them" (A. Wróbel [in:] M. Jaśkowska, M. Wilbrandt-Gotowicz, A. Wróbel, Updated Commentary to the Code of Administrative Procedure, LEX/el. 2025, art. 89). According to the President of the UODO, holding a hearing in the analyzed situation (in which, as indicated, taking evidence from witnesses or experts is not justified) would be unnecessary. It should be borne in mind that "The party's request to hold a hearing is not binding on the body. Failure to hold a hearing despite the party's request should be assessed through the prism of the efficiency of the proceedings. The order to conduct the proceedings in a quick and thorough manner and using the simplest possible means is included in Art. 12 § 2" (P. M. Przybysz [in:] Code of Administrative Procedure. Updated Commentary, LEX/el. 2024, Art. 89). In order to explain in the most comprehensive way possible the reasons for not taking into account the analyzed application of the Company, the President of the UODO additionally refers to the content of the judgment of the Supreme Administrative Court of 1 December 2020, reference number II OSK 3866/19 (LEX No. 3121822), in which it was indicated that: "A request to conduct an administrative hearing in administrative proceedings is not binding on the authority. It is also not a form of implementation of the principle of explaining to the parties the premises for resolving the case indicated in Art. 11 of the Code of Administrative Procedure. The hearing is to serve the authority to determine the factual circumstances of the case as fully as possible, especially when it requires the participation of witnesses, experts or conducting an inspection. Its purpose is therefore not to explain to the parties of the proceedings the premises that the authority is guided by, nor to dispute its position. The explanation of the reasons for a specific resolution of the case to the parties is primarily served by the opportunity to familiarize themselves with the evidence collected and the justification of the decision”.
76. In a letter dated 26 February 2025, the Company referred to Article 72 of the Act of 10 May 2018 on the protection of personal data and Article 83 paragraph 2 of Regulation 2016/679 in the context of the possibility taken into account by the Company that the proceedings in the case of a violation of the provisions on the protection of personal data may end with the imposition of an administrative fine. In this context, it noted that: »In view of the above, taking the requested evidence is necessary, and failure to take it will undoubtedly result in establishing an erroneous, in particular incomplete, factual situation in this case, in violation of Art. 7 of the Code of Administrative Procedure, Art. 77 § 1 of the Code of Administrative Procedure and Art. 80 of the Code of Administrative Procedure. Pursuant to Art. 70 sec. 1 of the Code of Administrative Procedure, the public administration authority is obliged to exhaustively collect and consider all evidence. Meanwhile, the Authority failed to carry out activities in the course of these proceedings that lead to determining, for example, the duration of the processing of personal data by Poczta Polska S.A. in April and May 2020, the scope of their processing, etc. These circumstances may be proven by the evidence requested in points 4-6 of this letter. At the same time, it should be noted that in statements for the press (Interview for (...) of January 27, 2025) the President of the Office indicated that the proceedings would be completed within “months”. Meanwhile, on February 13, 2025, the Authority notified of the planned completion of the proceedings. In connection with the above, and referring to Article 78 § 1 of the Code of Administrative Procedure (The party's request to take evidence should be granted if the subject of the evidence is a circumstance that is significant to the case), I submit evidentiary motions as above. At the same time, I would like to point out that, out of procedural prudence, the position of Poczta Polska S.A. will be submitted within the specified deadline. However, due to the complexity of the case, the disclosure of the collected evidence will not be made until 21 February 2025, it is justified to both comply with the motions and allow the party to present explanations within a deadline that takes into account the extensive material.
77. Without repeating the argumentation of the President of the Personal Data Protection Office referred to above, it is necessary to briefly refer to the Company's comment appearing once again regarding the time of processing of personal data provided by the Minister. Namely, for the purpose of issuing this decision, it is unnecessary to determine the time of processing of personal data more precisely. In this respect, the Company submitted the statements referred to in point 6 and 10 of this decision and – as follows from the quote in the previous point – still indicates that the processing took place in April and May 2020. As already shown above, the taking of the evidence requested by the Company is, in the opinion of the President of the UODO, unnecessary for the proper decision to be made.
78. The Company's statement quoted in point 76 above, in which it alleges that "the collected evidence was made available only on 21 February 2025" remains unclear to the supervisory authority. It familiarised itself with the files of this case twice: for the first time on 23 January 2025, when the files contained, among other things, copies of the documents referred to in points 4-10 of this decision, and for the second time after it was informed that the President of the UODO had collected evidence sufficient to issue a decision in this case (which the Company received on February 19, 2025). The files were inspected again on February 21, 2025 at the Company's request, and it is difficult to find grounds for making any allegations against the supervisory authority in this state of affairs.
79. Referring to the full content of the Company's letter of 26 February 2025, it should be noted that one cannot agree with the Company's suggestion that only taking into account the evidentiary motions submitted by it will ensure its "genuine active participation in the proceedings". At each stage of the proceedings, the Company was informed about its course and its rights, and it actively exercised these rights - familiarizing itself with the evidence collected, formulating assessments and conclusions related to it. The Company was in no way limited in its ability to "reliable and comprehensively comment (...) on all the evidence and materials collected", or to present a position on individual aspects of the case being examined. The Company submitted a letter to the President of the Personal Data Protection Office containing its position on 27 February 2025 and, given the fact that the supervisory authority did not conduct any new evidence (not finding any information or evidence in the letters submitted by the Company dated 26 and 27 February 2025 that would be considered relevant to resolving this case), submitting further positions seems unjustified. 80. For the sake of clarity, it is necessary to point out again here the fact that the supervisory authority is bound by the final judgments indicated in points 11 and 12 of this decision and to recall the position expressed in the doctrine, according to which: "The binding applies to both the law (the binding of the disposition of a specific legal norm contained in the judgment, derived by the court from general norms contained in legal provisions) and factual findings. A legal assessment of a binding nature must concern the proper application of a specific provision or its correct interpretation in relation to a precisely defined decision made in a specific case. In relation to factual findings, the binding limits the proof of specific facts stated in the preliminary ruling. The ratio legis of Article 170 of the p.p.s.a. is that it guarantees the maintenance of coherence and logic of the action of state bodies, preventing the functioning in legal transactions of decisions that are irreconcilable in the entire system of exercising public authority. (judgment of the Supreme Administrative Court of 19 May 1999, IV SA 2543/98, LEX No. 48643). (...) A final judgment of an administrative court may be – in relation to the fate of the contested act – negative or positive. A negative judgment contained in a judgment upholding a complaint has a retroactive effect on that act. As a result, the proceedings before administrative bodies return to the situation that existed before the act was issued. A later court judgment is therefore of a constitutive nature and operates in this respect ex tunc – from the moment the defective decision was issued (judgment of the Regional Administrative Court in Warsaw of 23 August 2017, II SA/Wa 1317/16, LEX No. 2366752)" (B. Dauter [in:] A. Kabat, M. Niezgódka-Medek, B. Dauter, Law on the proceedings before administrative bodies administrative courts. Commentary, 9th ed., Warsaw 2024, art. 170).
81. In light of the above, granting the Company's motions would not only be devoid of justification, but would also lead to unnecessary prolongation of the proceedings. It should be emphasized that "The purpose of the regulation contained in art. 78 § 2 is to prevent the party from prolonging the proceedings by submitting unnecessary evidentiary motions, i.e. concerning circumstances that have already been indisputably established. This therefore concerns both circumstances established by evidence, as well as commonly known facts and facts known to the authority ex officio (see the judgment of the Supreme Administrative Court of 19 February 2002, V SA 1918/01, LEX no. 685539). The administrative authority is therefore entitled to assess the need to hear evidence and will not violate the provisions of administrative procedure if it refuses to hear evidence, invoking the unnecessary nature of its hearing in the light of the commented provision (see the judgment of the Supreme Administrative Court of 17 March 1986, III SA 1160/85, ONSA 1986, no. 1, item 19). The authority assesses, guided by the norm of substantive law, which facts are of significant importance for "cases, whether they require proof and what evidence is needed to prove these facts (see judgments of the Supreme Administrative Court of 15 December 1995, SA/Lu 507/95, LEX No. 27107 and SA/Lu 508/95, LEX No. 1691402)" (P. M. Przybysz [in:] Code of Administrative Procedure. Updated Commentary, LEX/el. 2024, art. 78). A similar position was expressed by A. Wróbel [in:] M. Jaśkowska, M. Wilbrandt-Gotowicz, A. Wróbel, Updated Commentary to the Code of Administrative Procedure (LEX/el. 2025, art. 78), citing relevant case law in this respect: "The authority may not comply with a request to take evidence if it is intended to prolong the case (judgment of the Supreme Administrative Court in Gdańsk of 2 October 1998, I SA/Gd 1863/96, LEX no. 37600; compare judgment of the Supreme Administrative Court of 8 December 2017, I OSK 1214/17, LEX no. 2456039, in which it was stated that the party's right to submit a request to take evidence is subject to limitations which, in terms of expediency and the need to ensure the speed of the proceedings, the authority should consider each time, especially in a situation where there are no sufficient grounds for arguments in favor of questioning the previous findings)”.
82. At this point, it is also worth citing the position of A. Wróbel [in:] M. Jaśkowska, M. Wilbrandt-Gotowicz, A. Wróbel, Updated Commentary to the Code of Administrative Procedure (LEX/el. 2025, art. 78), in which it was pointed out that »In the judgment of the Supreme Administrative Court in Warsaw of 17 March 1986, III SA 1160/85, ONSA 1986/1, item 19, it was assumed that: "The refusal of the appeal body to take evidence to explain the circumstances already indisputably explained by the first instance body is not a violation of the provisions of administrative procedure that had an impact on the outcome of the case, and thus does not justify the Supreme Administrative Court upholding the complaint and annulling the contested decision".
83. In order to respond to the Company's statements concerning Art. 7, 77 § 1 and Art. 80 of the Code of Administrative Procedure, it should be noted that the principle of objective truth regulated in Art. 7 of the Code of Administrative Procedure requires the body conducting the proceedings to collect ex officio or at the request of the party and consider all evidence in a manner that allows for determining the factual circumstances of the case in accordance with reality. Of course, this concerns explaining the factual circumstances to the extent required by the resolution of the case. This principle is a fundamental rule of every modern procedural regulation. remember that the correct determination of the factual circumstances of a case is a necessary – although not sufficient – condition for its correct resolution. On the other hand, Article 77 § 1 of the Code of Administrative Procedure imposes an obligation to collect and consider the full evidence in the case, which is carried out on two levels. Firstly, it consists in conducting evidentiary proceedings regarding all the circumstances constituting the law-making facts, i.e. those which, in the light of the provisions of the applicable law, are associated with specific legal consequences. Secondly, the evidence collected should be fully reflected in the factual justification of the decision. As for the obligation to assess, on the basis of the entire evidence, whether a given circumstance has been proven (Article 80 of the Code of Administrative Procedure), it cannot be claimed that a circumstance has been proven if the evidence recorded in the case files contains evidence to confirm it, and at the same time it also contains evidence that contradicts this circumstance, if it cannot be convincingly explain this contradiction. It is worth noting that for the allegation of violation of the principle of free evaluation of evidence to be effective, it is not sufficient to state that the factual findings made are defective, referring to the factual circumstances which, in the opinion of the person raising such an allegation, correspond to reality. It is necessary to indicate the reasons for disqualifying the authority's proceedings in this respect. In particular, the person raising such an allegation should indicate what assessment criteria the authority violated when assessing specific evidence, finding it unreliable and lacking in probative value or wrongly giving it credence (see: judgment of the Supreme Administrative Court of 7 August 2018, file reference number I OSK 2051/16). In the opinion of the President of the UODO - taking into account the above argumentation - it would be unfounded to accuse him of violating the principles expressed in art. 7, 77 § 1, 80 of the Code of Administrative Procedure. The supervisory authority conducted the proceedings guided by the principles resulting from these provisions, including in the decision extensive argumentation proving this.
84. To sum up, in these proceedings the President of the UODO did not take into account the Company's evidentiary motions due to the fact that sufficient evidence was collected from the point of view of resolving the case by an administrative decision, complete, logical and internally consistent. From the point of view of the legal assessment of the actions of the Minister and the Company, the judgments described in points 11 and 12 of this decision are of key importance. Since the authority is bound by the legal assessment of the actions of the Minister and the Company contained in them - as unauthorized, the supervisory authority is not obliged to conduct any explanatory activities that would serve to assess the legality of these activities. Regardless of the number and nature of the evidence conducted on the above circumstances, the authority could not assess the actions of the Minister and the Company differently than the Provincial Administrative Court and the Supreme Administrative Court assessed them in the above judgments. Such evidentiary activities should therefore be assessed as apparent and unnecessarily prolonging the proceedings, which obviously violates the principle of economics of its conduct. The authority must assess the validity of evidentiary motions guided solely by the real need to conduct them in the context of the need to collect information necessary from the point of view of the possibility of resolving the case. These activities cannot be motivated solely by the party's suggestion that refusing to take into account evidentiary motions will be considered a breach of the guarantee of active participation in the proceedings or presentation of a full position in the case.
IV.B. Response to the Company's letter received by the President of the UODO on 27 February 2025.
85. In the Company's letter, which was received by the President of the UODO on 27 February 2025 (hereinafter referred to as the "letter of 27 February 2025"), its attorney presented its position in the matter in question: 1) requesting a finding that Poczta Polska S.A. had not violated the provisions on the protection of personal data, and consequently there are no grounds for an administrative fine; or 2) requesting a finding that the actions of Poczta Polska S.A. were not unlawful, and consequently there are no grounds for imposing an administrative fine; and in the scope of the proceedings, he supported the motions, including the evidentiary motions submitted in the Company's letter discussed in section IV.A of this decision, and also requested that the evidence specified in the justification of this letter be taken on the circumstances indicated therein.
86. In the justification of the aforementioned letter, in its point I containing "Introductory information", the Company declared that "(...) it does not dispute that it processed personal data obtained from the Minister of Digitization (...) for the purposes of preparing the elections, however, it indicates the lack of illegality of such action. The Company operated solely within the limits of the law in force at the time, exercised due diligence, processed personal data to the minimum extent necessary, and then deleted them immediately after the purpose of their processing ceased to exist, in a permanent and secure manner. The imposition of an administrative fine is optional. However, it should take place when the authority finds a violation of the provisions on personal data protection, and the action of the entity processing the data is illegal and culpable". The Company, explaining that in its opinion there are no such circumstances in this case, referred, among others, to: the fact of acting on the basis of Article 99 u.s.i.w., the immediate enforceability of the PRM Decision of 16 April 2020, confirmation of the compliance of Art. 11 of the COVID-19 Act with the Constitution of the Republic of Poland by the Constitutional Tribunal, the presumption of the constitutionality of acts and the legality of administrative decisions, the fact that the Company merely requested the Minister to provide personal data, as well as confirmation of the legality of its actions by a number of entities mentioned in this letter (including the President of the UODO and the National Electoral Commission). In this context, the Company also indicated Art. 8 of the Code of Administrative Procedure, the lack of illegality of its actions confirmed by the case law of common courts, the fact of processing duly secured personal data in a minimal manner, operating in a state of epidemic - in accordance with the law in force at that time, the fact of having personal data of voters in connection with the "correspondence elements" applicable in the next elections, as well as access to the PESEL register. However, these arguments (mostly developed in points II-XI of the letter dated February 27, 2025) cannot be taken into account in the current situation, nor can the evidence attached to this letter, and the arguments of the President of the UODO in this respect will be presented in the order corresponding to the points into which the Company divided the letter dated February 27, 2025. However, it should be noted at this point that, referring to the Company's position expressed in this letter, the President of the UODO maintains his earlier arguments contained in this decision (and refers to them), in particular to the extent to which this argument refers to the fact that the supervisory authority is bound by the final judgments referred to in points 11 and 12 of this decision (including on the basis of Article 170 of the Personal Data Protection Act).
87. Referring to the above-quoted fragment of point I of the Company's letter of 27 February 2025, it should be noted that the EU legislator in Article 83 paragraph 2 letter b) of Regulation 2016/679 (without using the literal concept of "guilt") requires the supervisory authority to take into account the intentional or unintentional nature of the infringement when assessing the justification for imposing a penalty and its amount. It is worth emphasizing that this is in no way tantamount to a prohibition on imposing an administrative fine in the event of an unintentional infringement - however, this aspect has an impact on the decision taken by the authority in this respect. Moreover, it is difficult to agree with the Company's position expressed in point I of the aforementioned letter, according to which "The action of Poczta Polska S.A. was (only) to request the Minister of Digital Affairs to disclose personal data". The Company processed the data transferred to it until its deletion, which took place between May 15 and 22, 2020 (the President of the Personal Data Protection Office accepted the Company's earlier explanations in this respect) and even if this idea was developed by the Company in point VI of its letter, such a statement should not give the false impression at the beginning of the letter about the Company's minimal participation in the infringement of the provisions of Regulation 2016/679. It should also be noted here that, due to the scope of these administrative proceedings, the circumstances of securing the data processed by the Company, or the fact of their minimal processing, and even the fact that the Company has access to the PESEL register on grounds other than those on which the Company and the Minister acted in the scope examined in this case, are of no additional significance. 88. In point II of the letter dated February 27, 2025, the Company discussed the provision of Article 99 of the Personal Data Protection Act as the legal basis for its actions. However, in view of the issuance by the Provincial Administrative Court and the Supreme Administrative Court of the judgments referred to in points 11 and 12 above, by which the supervisory authority is bound, and taking into account the arguments presented so far in this decision regarding the unlawfulness of the actions of the Minister and the Company in the scope covered by these proceedings, repeating the arguments of the supervisory authority in response to the Company's statements would be unnecessary. In light of the above, the Company's statements regarding the basis specified in Article 99 of the Personal Data Protection Act on April 22, 2020, as well as those regarding the presumption of the constitutionality of this provision, are also irrelevant in the supervisory authority's assessment. The evidence attached by the Company to the letter of 27 February 2025 in the form of the decision of the President of the Office of Electronic Communications on the selection of the operator designated for the years 2016-2025 does not contribute anything significant to the case, and the content of this decision is widely known. Taking into account the arguments presented by the President of the UODO, it is also impossible to agree with the Company's statement contained in point II of the aforementioned letter that: "The considerations raised in public discourse, including in the judgments of administrative courts and the Supreme Administrative Court, regarding the defectiveness of the Decision of the Prime Minister, are of minimal importance to these proceedings and do not prejudge the unlawfulness of the acquisition of personal data by Poczta Polska S.A.". 89. In point III of the letter dated 27 February 2025, the Company presented its position regarding the "Nature of the Decision of the Prime Minister", indicating that it was immediately enforceable from the moment of its delivery and did not require justification, and that the Company had no possibility under the law to oppose the execution of the Decision of the Prime Minister. Referring to the above-mentioned claims, the President of the UODO considers it unnecessary to repeat the extensive analysis regarding the nature of the PRM Decision of 16 April 2020, previously carried out in the judgments of the Voivodeship Administrative Court and the Supreme Administrative Court, referred to in point 11 of this decision - which the supervisory authority fully shares. On the sidelines, however, it should be noted that there is no justification, both in the factual and legal circumstances, for the Company's claim regarding the impossibility of opposing the order resulting from the above-mentioned administrative decision. The Company, as a party to the administrative proceedings concluded with the issuance of the above-mentioned decision of the public administration authority, exercising the powers granted to it under the provisions of the Code of Administrative Procedure, could have requested the authority that issued the decision to reconsider the case (Article 127 § 3 of the Code of Administrative Procedure) – which possibility the Company itself indicated in the letter submitted to the supervisory authority – as well as filed a request to supplement the decision as to its decision (Article 111 § 1 of the Code of Administrative Procedure) or to request clarification of doubts as to the content of the decision (Article 113 § 2 of the Code of Administrative Procedure). However, the Company did not exercise any of these powers, despite justified doubts regarding the compliance of the PRM Decision of 16 April 2020 with the provisions of law in force at that time – which doubts also emerged on the Company's side. This conclusion should be drawn from the Information of 23 April 2021 on the results of the audit conducted by the Supreme Audit Office with respect to the activities of selected entities in connection with the preparation of the general elections for the President of the Republic of Poland called for 10 May 2020 with the use of postal voting, which, as it is generally available, is known to the supervisory body ex officio. As it results from the content of the above-mentioned document, "The Company commissioned the preparation of three legal opinions in the context of the subject of the tasks and obligations and the liability of the Members of the Management Board of the Company in connection with the implementation of the order contained in the decision of the Prime Minister of 16 April 2020. (...) The legal opinion of 23 April 2020, prepared in the Legal and Ownership Supervision Office of PP S.A., indicated (...) the obligation of the Members of the Management Board to act diligently in a situation in which the act on special principles for conducting elections has not yet been adopted. Therefore, it was recommended (...) to conduct an analysis of the decision (...) in terms of the justification for its appeal, in particular in the context of its compliance with the law"[11]. In light of the above, the Company's commencement of activities related to obtaining personal data of voters from the PESEL register – despite the lack of prior exercise of its powers enabling it to review the administrative decision addressed to it – should be considered in terms of the Company's freedom of decision-making. Consequently, the allegations made by the Company, cited at the beginning of this paragraph, should be deemed unfounded.
90. In turn, in point IV of the letter dated February 27, 2025, the Company presented its position with reference to the "Presumption of constitutionality of the act and presumption of legality of the administrative decision". However, it is impossible to agree with the Company's argument contained in this point that "Poczta Polska S.A., when acquiring personal data in April 2020, had no legal basis to question and, consequently, not perform the tasks resulting from art. 99 of the Special Act and the Decision of the Prime Minister. The subsequent finding of invalidity of the Decision is irrelevant for the assessment of the acquisition of personal data, based on the provision of art. 99 of the Special Act (the conformity of which with the Constitution was not challenged) and the Decision of the Prime Minister, which at that time enjoyed the presumption of legality". The determination by the Regional Administrative Court (subsequently confirmed by the Supreme Administrative Court) of the invalidity of the PRM Decision of 16 April 2020 is closely related to the recognition by these courts of the actions of the Minister of 22 April 2020 as ineffective in the scope in which he provided the Company with personal data from the PESEL register. In the opinion of the President of the UODO, the arguments presented in point IV of the letter dated 27 February 2025 should be considered irrelevant in the context of the argumentation presented by him in this decision and in connection with the fact that the Regional Administrative Court and the Supreme Administrative Court issued the judgments referred to in points 11 and 12 of this decision. For the same reasons, in the opinion of the supervisory authority, the arguments of the Company presented in point V of the letter dated 27 February 2025 regarding the confirmation by the Constitutional Tribunal of the compliance of Art. 11 of the COVID-19 Act (incorrectly marked by the Company in this letter) with the Constitution of the Republic of Poland.
91. In point VI of the letter dated 27 February 2025, the Company presented its position on the scope of its activity and its submission of an application to the Minister: "This circumstance remains crucial. The provision of personal data by a government administration body (Minister of Digitization) should be assessed differently than the application for their provision by Poczta Polska S.A., against which coercion resulting from public authority was exercised. Poczta Polska S.A. was - under the law in force at that time - obliged to request personal data, under penalty of application of state coercion in the administrative enforcement procedure (see judgment of the Supreme Administrative Court of 10 September 2014, I OSK 229/13). The Minister of Digitization acted without a similar order." In the opinion of the President of the UODO, the arguments of the Company presented in this way do not merit consideration. Of course, the supervisory authority sees a difference between the degree of responsibility of the Minister and the Company for the infringements of the provisions of Regulation 2016/679 attributed to them in these proceedings – which the authority expressed in the further part of the justification of this decision, devoted to the assessment of the level of seriousness of these infringements (see points 126 and 147 of the justification). Nevertheless, it should be stated that the situation in which the Company found itself did not release it from the obligation to respect the constitutional rights of citizens, including the right to the protection of personal data, detailed in the provisions of Regulation 2016/679. This assessment is not changed by the fact that the PRM Decision of 16 April 2020 addressed to the Company was subject to immediate execution. It should be pointed out that the general wording of the order addressed to the Company, or more precisely, the lack of indication in the decision of specific executive actions that the Company should have taken in order to implement this order, made this decision defective - and consequently unenforceable. Such an assessment was presented by the Supreme Administrative Court in the judgment referred to in point 11 of this decision, explaining that "(b)ecause of the impossibility of determining what specific actions the addressee of the order is to take (...) prevents its possible compulsory implementation under the provisions of the Act on enforcement proceedings in administration. (...) An analysis of the content of the decision of the Prime Minister of 16 April 2020 leads to the conclusion that (...) its content does not allow (...) to identify the nature and scope of the task that was imposed on Poczta Polska. (...) Consequently, it is impossible to indicate the conditions under which Poczta Polska would release itself from liability for failure to implement the decision, depriving the body of the possibility of implementing the compulsory procedure for its implementation.". The position of the Supreme Administrative Court, by which the President of the Personal Data Protection Office is bound, clearly determines that the obligation to fulfil the obligation imposed on the Company by the aforementioned administrative decision – given the mere framework formulation of this obligation – was in fact illusory.
92. In point VII of its letter of 27 February 2025, the Company referred to the position presented by the President of the Personal Data Protection Office in April 2020 and attached in this respect a printout from the website on which it was published. It also indicated the earlier issuance by the supervisory authority of a decision to discontinue the proceedings in the case of a complaint regarding the disclosure of personal data of a natural person to the Company by the Minister (also attaching a copy of this decision). Contrary to what the Company argued in this point, in the opinion of the President of the Personal Data Protection Office, the change in the position adopted by him does not determine the complexity of the case. The change caused by the issuance of the judgments by the Voivodship Administrative Court and the Supreme Administrative Court referred to in points 11 and 12 of this decision must have had an obvious impact on the position adopted by the President of the Personal Data Protection Office (including in connection with the application of Article 170 of the Law on Proceedings before Administrative Courts). This modification also could not have caused any surprise to the Company, which was a participant in the court proceedings culminating in the issuance of these judgments. Due to this, the Company's arguments and the evidence attached by it in this respect (i.e. the above-mentioned printout and copy of the decision) have no impact on the content of this decision. Similarly, the Company's arguments contained in point VIII of the letter dated 27 February 2025 referring to the position of the National Electoral Commission from 2020, together with evidence: a copy of the letter dated 23 April 2020 (ref.: (...)). Only in passing, it is worth noting that this letter referred to the disclosure of data from the voter register and was to be addressed to local governments.
93. In point IX of the letter dated 27 February 2025, the Company raised arguments concerning the principle of trust in public authorities resulting from Article 8 of the Code of Administrative Procedure. It indicated, among other things, that "In the circumstances that occurred in April and May 2020, Poczta Polska S.A. had every right to be justified in believing that there were no doubts as to the legality of obtaining and processing personal data". According to the supervisory authority, however, in order to properly assess its conduct, it should be taken into account that in the current situation, its omission of the judgments referred to in points 11 and 12 of this decision could be considered a breach of the principle of trust in public authorities. The President of the UODO, as the Company rightly noted in its letter, has the right to change his/her view – however, it is indicated that this change must be justified: "In court case law, the following actions of public administration bodies are considered to violate the principle of citizens' trust in state bodies (public authorities): (...) variability of legal views expressed in decisions of administration bodies with respect to the same addressee, issued against the background of the same factual circumstances, indicating the same legal basis for the decision and without further justification for such a change – judgment of the Supreme Administrative Court in Łódź of 8 April 1998, I SA/Łd 652/97, ONSA 1999/1, item 27 (...)" (A. Wróbel [in:] M. Jaśkowska, M. Wilbrandt-Gotowicz, A. Wróbel, Updated Commentary to the Code of Administrative Procedure, LEX/el. 2025, art. 8). However, the President of the UODO cannot be accused of failing to justify in this decision the change in the position adopted in April 2020, which, by the way, took the form of a public communication and not an administrative ruling addressed to the party. In this context, it is also worth noting that Article 170 of the p.p.s.a., repeatedly mentioned in this decision, refers to rulings issued by administrative courts. It is therefore impossible to apply it to the judgment of the District Court in Warsaw of August 21, 2024, reference number XXIV C 1611/20, to which the Company referred in point X of the letter of February 27, 2025. For this reason (and also due to the fact that the indicated judgment is not final), the Company's arguments, among others, that: "(...) The Court had no doubts as to the lack of unlawfulness of Poczta Polska S.A.'s actions." is irrelevant in this case, and the evidence in the form of a copy of this judgment submitted by the Company has no impact on the content of this decision.
94. In point XI of the letter dated 27 February 2025, the Company emphasized, among other things, that "In order to determine the scope of personal data processing, the duration of processing, the categories of personal data, and the security measures applied, Poczta Polska S.A. submitted applications in the letter dated 25 February 2025" and added: "While maintaining the position that the actions of Poczta Polska S.A. were not unlawful, I would like to point out, however, that determining all the circumstances is necessary in order to properly examine this case in accordance with the Code of Administrative Procedure". In order to avoid unnecessary repetitions, the President of the UODO therefore refers in this context to his arguments already raised, among others, in part IV.A of this decision. At the end of point XI of the aforementioned The Company indicated in the letter that "(...) the Minister of Internal Affairs, by decision of 8 September 2014, reference number (...), expressed consent to provide Poczta Polska S.A. with data from the PESEL database using data teletransmission devices for the purpose of performing statutory tasks" and attached evidence in the form of a copy of the decision of the Minister of Internal Affairs of 8 September 2014 (reference number (...)). Since the administrative proceedings conducted in this case concern the provision of personal data to the Company by the Minister of Digitization from the PESEL register on completely different grounds, this last argument of the Company and the evidence attached by it have no impact on the content of the decision in question.
95. In the final part of the letter, the Company also stated that: "In accordance with Art. 7a § 1 of the Code of Administrative Procedure, if the subject of administrative proceedings is the imposition of an obligation on a party or the restriction or deprivation of a party's right, and there are doubts as to the content of a legal norm in the case, such doubts shall be resolved in favour of the party, unless the parties' conflicting interests or the interests of third parties directly affected by the outcome of the proceedings oppose this. In the opinion of Poczta Polska S.A., the evidentiary proceedings should be supplemented and, based on a properly established factual situation, the Authority will have no doubt that no infringement of the provisions on personal data protection occurred on the part of Poczta Polska S.A. at all." In the opinion of the President of the UODO, the cited statement of the Company suggesting the existence of doubts in the analysed case justifying such a decision is completely unfounded in the light of the extensive argumentation presented by him in this decision, which also takes into account the fact that the supervisory authority is bound by final judgments referred to in points 11 and 12 of this decision. To sum up, it should be pointed out that the Company's motion to determine that: 1) Poczta Polska S.A. did not violate the provisions on personal data protection, and consequently there are no grounds for an administrative fine, or 2) the action of Poczta Polska S.A. was not unlawful, and consequently there are no grounds for imposing an administrative fine, is unfounded. For the reasons discussed broadly in both Parts IV.A and IV.B of this decision, the motions to produce evidence indicated by the Company in the letters discussed in the above-mentioned parts of this decision should also be considered unfounded.
V. Administrative fines.
96. The administrative proceedings conducted by the President of the UODO serve to verify the compliance of data processing with the provisions on personal data protection and are aimed at issuing an administrative decision in order to apply the remedial powers specified in Article 58 paragraph 2 of Regulation 2016/679.
97. Taking into account the above, as well as the infringements of the provisions on personal data protection found in these proceedings, the President of the UODO – using the power specified in Article 58 paragraph 2 letter i) of Regulation 2016/679, according to which each supervisory authority has the power to apply, in addition to or instead of the measures referred to in Article 58 paragraph 2 letters a)-h) and letter j) of that Regulation, an administrative fine specified in Article 83 paragraph 5 letter a) – found that in the case at hand, the grounds for imposing an administrative fine on both the Minister and the Company had materialised.
98. In accordance with Article 83 paragraph 5 letter a) of Regulation 2016/679, infringements of the provisions concerning the basic principles of processing, including the conditions of consent, referred to in Articles 5, 6, 7 and 9, shall be subject to an administrative fine of up to EUR 20,000,000, and in the case of an undertaking – of up to 4% of its total annual global turnover from the previous financial year, whichever is higher.
99. In accordance with Article 102 paragraph 1 point 1 of the Personal Data Protection Act, the President of the Personal Data Protection Act may impose, by way of a decision, administrative fines of up to PLN 100,000 on public finance sector entities referred to in art. 9 points 1-12 and 14 of the Act of 27 August 2009 on Public Finances (Journal of Laws of 2024, item 1530, as amended). This limit will undoubtedly apply in this case to the Minister, as a public authority, and more specifically - a government administration body. The administrative fines referred to in par. 1 and 2 are imposed by the President of the Office on the basis of and under the conditions specified in art. 83 of Regulation 2016/679 (art. 102 par. 3 of the Personal Data Protection Act).
V.A. Conduct subject to administrative fines and application of Article 83(3) of Regulation 2016/679.
100. Pursuant to Article 83(3) of Regulation 2016/679, if the controller or processor intentionally or negligently, within the same or related processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount of the fine for the most serious infringement.
101. The term "processing operations" referred to in Article 83(3) of Regulation 2016/679 is explained in Article 4 point 2 of Regulation 2016/679, in which "processing" is defined as "an operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, matching or combining, restriction, erasure or destruction". In view of the above, a processing operation will constitute any action to which the data are subjected until they are deleted, lost or destroyed.
102. In turn, guidance on identifying the "most serious infringement" is included in the EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR (version 2.1) adopted on 24 May 2023, hereinafter referred to as the "Guidelines 04/2022". According to the position expressed therein, "the wording "the amount of the penalty for the most serious infringement" refers to the statutory maximum amounts of pecuniary penalties" specified in Article 83(4)-(6) of Regulation 2016/679 (see point 43 of Guidelines 04/2022). Thus, the most serious infringement in an individual case will be the one for which the EU legislator has provided a higher threshold for the maximum threat of an administrative pecuniary penalty.
103. In view of the finding that both controllers concerned in the case committed, in the factual situation under analysis, an infringement of Article 6(1) of Regulation 2016/679, resulting in a simultaneous infringement of Article 5(1)(a) a) Regulation 2016/679, the President of the UODO was obliged to take into account the regulation cited in the preceding paragraph in order to consider whether the circumstances of this case determine the use by the supervisory authority of only one or several corrective measures provided for in Article 58 paragraph 2 of Regulation 2016/679 – or more precisely, whether the authority should impose only one administrative fine on each of the controllers, constituting a response to all the infringements committed by them, or separate and independent penalties for each of these infringements considered separately.
104. When establishing specific sanctions for the conduct found in this case in breach of the provisions of Regulation 2016/679, the President of the UODO took into account that the infringements attributed to both the Minister and the Company were committed as part of the same processing operations. The action of the Minister considered in this case, consisting in providing the Company with personal data of voters from the PESEL register, as well as the action of the Company consisting in obtaining and processing this data in connection with undertaking activities aimed at preparing to hold the elections of the President of the Republic of Poland in 2020 in correspondence mode, were one-off actions, undertaken as a result of a single decision of the administrator and aimed at achieving one pre-defined goal. At the same time, these actions concerned the same set of data. Both processing operations described above (i.e. providing data on the one hand and processing them on the other) were not supported by legal provisions, because both administrators did not have any of the valid grounds for processing, enumerated in Article 6 paragraph 1 of Regulation 2016/679, at the date of transfer of the data. Failure to meet even one condition for the lawfulness of personal data processing resulted directly in a breach of the norm expressed in Article 5 paragraph 1 letter a) of Regulation 2016/679, according to which personal data must be processed in accordance with the law, fairly and in a transparent manner for the data subject. It should be noted that the aforementioned Article 5 paragraph 1 letter a) of Regulation 2016/679 establishes in this respect a general principle of personal data processing, which sets the framework for the entire data protection system. The lawfulness of processing, understood as an overarching concept, has been clarified on the basis of other provisions of Regulation 2016/679, establishing specific obligations – addressed to controllers and processors – and the rights of data subjects correlated with them. Such a specifying provision is undoubtedly also Article 6 paragraph 1 of Regulation 2016/679. In this context, it should be explained that the finding of an infringement of the provisions defining the basic, general principles of processing (in this case – Article 5 paragraph 1 letter a)) does not exclude attributing to the controller the infringement of the detailed provisions concretising these principles (in this case – Article 6 paragraph 1) and imposing a financial penalty for it.
105. Having therefore found that in the analysed factual situation both controllers infringed more than one provision of Regulation 2016/679 (Article 6 paragraph 1, and consequently also Article 5 paragraph 1 letter a)) within the same processing operations, and that none of the identified infringements excludes – in the opinion of the President of the Personal Data Protection Office – the possibility of attributing the other controller to them, in these proceedings the liability of both the Minister and the Company should be shaped “in parallel” in relation to all the infringements committed by the above. In such a situation, the provision of Article 83 paragraph 3 of Regulation 2016/679 will apply.
106. To sum up, in this case, an administrative fine was imposed on the Company for infringement of Article 5 paragraph 1 letter a) and Article 6 paragraph 1 of Regulation 2016/679. In relation to both of these infringements, the provision of Article 83 paragraph 3 of Regulation 2016/679 was applied, and – in connection with the fact that both infringements are threatened (in abstracto) with the same penalty resulting from Article 83 paragraph 5 letter a) of Regulation 2016/679, in the amount of up to EUR 20 000 000 or up to 4% of the annual turnover – these infringements should be attributed the same seriousness. The consequence of this is that it is impossible to impose a penalty for the above-mentioned infringements that is higher than the maximum penalty for one of them, i.e. the amount of EUR (...) – due to the need to adopt the so-called "dynamic maximum penalty" in relation to the Company (see point 146 of the justification).
107. In turn, the administrative fine imposed on the Minister was imposed for the infringement of Article 5 paragraph 1 letter a) and Article 6 paragraph 1 of Regulation 2016/679, on the basis of Article 83 paragraph 5 letter a) of Regulation 2016/679. This penalty, imposed jointly for the infringement of both of the above provisions – in accordance with the wording of Article 83 paragraph 3 of Regulation 2016/679 – cannot exceed the amount of the penalty for the most serious infringement found in this case. Given the fact that both violations alleged against the Minister are typified in Article 83 sec. 5 letter a) of Regulation 2016/679, which provides for the same maximum threshold for the threat of an administrative fine, these violations should be assigned the same seriousness. Consequently, the penalty imposed on the Minister cannot exceed the penalty limit specified for one of these violations, i.e. the amount of PLN 100,000, established in Article 102 sec. 1 item 1 of the Personal Data Protection Act with respect to public authorities and other public entities.
V.B. Justification for imposing and determining the amount of the administrative fine imposed on the Minister
Penalty assessment conditions – application of Article 83 sec. 2 of Regulation 2016/679
108. In deciding to impose an administrative fine on the Minister, the President of the UODO – pursuant to Article 83 paragraph 2 letters a) - k) of Regulation 2016/679 – took into account the following circumstances of the case, which constitute the necessity to apply this type of sanction in this case and have an aggravating effect on the amount of the administrative fine imposed.
109. The nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question, the number of affected data subjects and the extent of the damage they suffered (Article 83 paragraph 2 letter a) of Regulation 2016/679) The breaches attributed to the Minister are of very high importance and exceptionally serious in nature, expressed in the fact that they violate the basic principles of personal data processing, which are fundamental in the entire data protection system, defining its framework. The nature of the processing carried out by the central government administration body as part of the public tasks entrusted to it should also be assessed as aggravating in this context. The Minister, being the entity responsible for maintaining and developing the PESEL register - which is the central and most important state collection of personal data of natural persons - should be distinguished not only by the highest knowledge of the law, but also provide a guarantee of respect for the rights and freedoms of citizens (including those relating to the processing of their personal data included in the register). Meanwhile, the aforementioned authoritatively and unilaterally decided to provide the Company with the personal data of all persons of legal age as of 10 May 2020, who at the time the data was generated had Polish citizenship registered in the PESEL register, were listed as living persons and for whom the indicated country of residence was Poland, despite the fact that his actions were not supported by applicable legal provisions at the date of such disclosure – which the Minister was aware of (and which was explained in detail in point 110 of the justification).
The President of the UODO also considers the scope of processing and the significant number of persons affected by the breach to be an aggravating circumstance. In fulfilling the Company's request of 20 April 2020 to send data from the PESEL register, the Minister provided it with information on nearly 30 million persons with Polish citizenship, which in general constituted almost 80% of the country's population[12]. In light of the above information, indicating that the Minister processed personal data on a large scale – because although the scope of this processing was exclusively national, it affected the vast majority of Polish society – the violations attributed to him should be assessed as systemic, which significantly affects their significance.
Despite the lack of evidence obtained proving that the data subjects suffered financial damage in connection with the identified violations, the President of the UODO took into account, as a circumstance influencing the amount of the imposed financial penalty, the possibility of non-financial damage on the part of data subjects, such as, in particular, fear or uncertainty resulting from the inability to exercise control over their personal data – due to the fact of their unlawful disclosure to the Company. The correctness of the assessment adopted by the supervisory authority is supported by the content of the judgment of the Court of Justice of the EU of 14 December 2023 in the case Natsionalna agentsia za prihodite (C-340/21, EU:C:2023:986), in which the Court emphasised that "Article 82(1) of the GDPR must be interpreted as meaning that the fear of possible use by third parties in a way that constitutes a misuse of personal data, which the data subject has as a result of an infringement of that regulation, may in itself constitute 'non-material damage' within the meaning of that provision." In this context, it is not without significance that the risk of non-pecuniary damage could potentially apply to all (approximately) 30 million people whose data was on the DVD provided to the Company – and this risk certainly materialized in relation to those people who filed complaints to the supervisory authority about irregularities in the processing of their personal data by the Minister and the Company, in connection with the organization of the elections of the President of the Republic of Poland, which were to be held on 10 May 2020.
Due to the specific nature of the infringement consisting in a one-time disclosure of personal data to the Company, which took place on 22 April 2020, the President of the Personal Data Protection Office could not assess, within the framework of the analyzed premise of the penalty, the impact that the duration of the infringement had on this premise. In view of the position adopted in this way, this circumstance should be considered neutral, i.e. having neither an aggravating nor a mitigating effect on the amount of the administrative fine imposed.
Regardless of the above, taking into account the nature and gravity of the identified violations, as well as the number of data subjects affected and the level of non-pecuniary damage identified, the premise specified in Article 83 paragraph 2 letter a) of Regulation 2016/679, considered in its entirety, should be assessed as clearly aggravating.
110. Intentional nature of the violation of the provisions of Regulation 2016/679 by the Minister (Article 83 paragraph 2 letter b of Regulation 2016/679) It should be emphasized that when analysing this premise, the President of the UODO was also bound, in accordance with 170 p.p.s.a., by the findings of the Provincial Administrative Court and the Supreme Administrative Court contained in the judgments referred to in points 11 and 12 of this decision. In addition, it took into account the guidelines contained in Guidelines 04/2022, according to which intent "includes both knowledge and deliberate action, in connection with the characteristics of a prohibited act" (see point 55 of Guidelines 04/2022). In light of the above, the supervisory authority assumed that the Minister had provided the Company with personal data of voters from the PESEL register, despite being aware of the illegality of such action.
It should be pointed out, in accordance with the position of the administrative courts expressed in the aforementioned judgments, that in accordance with the provisions of the Electoral Code, in force on the date of the analyzed disclosure, the permanent supreme electoral authority competent in matters of conducting elections and referenda was the National Electoral Commission (Article 157 § 1). The above-mentioned and it was provided by the National Electoral Office, whose tasks included ensuring the organizational, administrative, financial and technical conditions related to the organization and conduct of elections and referenda within the scope specified in the code and other acts (Article 187 § 1 and 2).
Additionally, the provisions of the Electoral Code – the application of which during the period of the state of epidemic threat or the state of epidemic, when conducting the general elections for the President of the Republic of Poland in 2020, was abolished on 18 April 2020 under Article 102 point 4 of the Electoral Code – authorized only the following to carry out activities aimed at preparing for conducting these elections in correspondence mode: electoral commissioners, election officials, as well as the Chief Sanitary Inspector and the Sanitary Inspectorate (Article 53b of the Electoral Code). The possibility of voting by correspondence was reserved for a narrow group of voters, i.e. voters with disabilities, voters in mandatory quarantine, isolation or home isolation, and voters who turn 60 on the day of voting no later than the day of voting (Article 53a of the Electoral Code). Although on 6 April 2020 the Sejm of the Republic of Poland passed the Act on special rules for conducting the general elections for the President of the Republic of Poland called in 2020, providing for them to be conducted exclusively by postal voting for all voters with active electoral rights (as already mentioned in point 31 of the justification), this Act did not enter into force until 9 May 2020, i.e. after the date on which the Minister made the data available. According to the President of the Personal Data Protection Office, it is indisputable that the Minister – being a member of the Council of Ministers – knew about the ongoing legislative work on the aforementioned legal act. This argument is additionally strengthened by the fact that the person who, at the time of the identified infringements of the provisions of Regulation 2016/679, was a holder of a public body recognized in these proceedings as the data controller (i.e. the then Minister of Digital Affairs, (...)), exercised the mandate of a member of the Sejm of the Republic of Poland, 9th term, and participated in the vote on the draft of the aforementioned act, giving it his support[13]. The fact that the Minister was aware of the legislative changes being processed, which were aimed at excluding the provisions of the Electoral Code referred to in the introduction from application, leaves no doubt that the Minister was aware that on the date of transferring the personal data of voters in the PESEL register to the Company, the Company was not an entity authorised by law to undertake and carry out the necessary activities aimed at preparing for the general elections of the President of the Republic of Poland in 2020. Moreover, the Minister was aware of the fact that no statutory provision in force at that time permitted these elections to be held solely by correspondence.
From the above, the President of the UODO concludes that the violations attributed to the Minister are intentional, which has a significant aggravating effect on the amount of the administrative fine imposed on him.
111. Any relevant previous infringements by the controller (art. 83 par. 2 letter e of Regulation 2016/679) When deciding on the imposition and the amount of the administrative fine applied to the Minister, the President of the UODO took into account, as an aggravating circumstance, the fact that the Minister had previously violated the provisions of Regulation 2016/679. It should be pointed out that as a result of complaints received from natural persons about irregularities in the process of processing their personal data by the abovementioned, the supervisory authority issued the following decisions: - decision of 29 March 2021, reference number (...), finding an infringement of the provision of art. 12 par. 3 of Regulation 2016/679, - decision of 10 September 2021, reference number (...), finding an infringement of the provision of art. 5 par. 1 letters a) and b) and art. 6 par. 1 of Regulation 2016/679, - decision of 4 January 2024, reference number (...), stating a violation of the provision of art. 12 sec. 3 of Regulation 2016/679.
The above-mentioned earlier violations indicate the occurrence of certain problems in the administrator's structures with the implementation of obligations arising from the provisions of Regulation 2016/679. The Minister was unable to demonstrate to the supervisory authority in the above-mentioned individual cases the legality of processing and timeliness in the scope of the implementation of the rights of data subjects - which resulted in the application of appropriate corrective measures to the Minister. However, it should be stated that the identified problems were not systemic or commonly recurring in nature, but concerned individual situations. The fact that two of the violations identified in the above-mentioned proceedings differed in terms of their subject matter from those examined in this case is also significant for the assessment of this premise. As the EDPB explains, "infringements that concern the same subject matter should be considered more relevant than previous infringements that concern a different subject matter" (see point 88 of Guidelines 04/2022). In view of the above, the President of the UODO took the position that the Minister's previous attitude, indicating existing difficulties in respecting the provisions on the protection of personal data - while it is considered to the detriment of the controller and currently justifies the imposition of an administrative fine on him - does not significantly increase its amount.
112. Categories of personal data affected by the breach (Article 83 paragraph 2 letter g of Regulation 2016/679) The personal data provided to the Company by the Minister included: PESEL number, first names, last names, last current permanent residence address (and in the absence thereof: last invalid address), temporary residence address (along with the declared date of such stay), as well as currently registered temporary travel outside the country, of all adults as of 10 May 2020, who on the date of generating such data had Polish citizenship registered in the PESEL register, and moreover were listed as living persons for whom Poland was the indicated country of residence. Unless the above information provided to the Company does not include special category data specified in Article 9 and 10 of Regulation 2016/679 – which are subject to special protection and therefore a more rigorous response from the supervisory authority when imposing fines – however, the wide scope of this data, allowing for the immediate identification of data subjects, requires that this premise be treated as an aggravating factor. In this context, it is worth recalling the position of the EDPB, according to which "the more such categories of data are affected by the breach or the more sensitive the data are, the more weight the supervisory authority may assign to such a factor. The amount of data relating to each data subject is also important, because the scale of the infringement of the right to privacy and personal data protection increases with the amount of data relating to each data subject" (see points 57-58 of the Guidelines 04/2022). It should also be emphasized that the personal data protection breaches concerned the PESEL registration number, i.e. an eleven-digit numerical symbol that uniquely identifies a natural person, containing, among other things, date of birth and gender designation, and therefore closely related to the private sphere of a natural person and also subject, as a national identification number, to exceptional protection under Art. 87 of Regulation 2016/679. Unlawful disclosure of this type of information to the Company, in particular in combination – as was the case in the present case – with a broader set of personal data, could have a real and negative impact on the protection of the rights or freedoms of natural persons. The Supreme Administrative Court expressed its opinion no differently on the issue of the special nature of identification information, which is the PESEL registration number and the related postulate of its special protection, in its judgment of 6 December 2023, file reference number Act III OSK 2931/21 considered that disclosing "(...) data, including first and last names, as well as PESEL numbers of natural persons, i.e. relatively permanent, unchangeable data (...) may always entail a risk of negative consequences for the above-mentioned persons. Similarly, residential addresses are personal data, the unauthorised disclosure of which creates a high risk of negative legal consequences".
113. Any other aggravating or mitigating factors applicable to the circumstances of the case (Article 83 paragraph 2 letter k of Regulation 2016/679) The supervisory authority also considered the consequences of the infringements attributed to it to be perceptible in the general social dimension to the detriment of the Minister. The disclosure by a public authority to the Company of personal data of Polish citizens who were entitled to exercise their active voting rights in the elections for the President of the Republic of Poland on 10 May 2020 – widely commented on in both traditional and social media, in the face of justified doubts as to the legality of the Minister's described actions – caused anxiety and uncertainty among citizens as to the predictability of the actions of state authorities and became the reason for numerous protests and demonstrations. As a result, the conduct of the Minister, punishable in this case, led to the deepening of the phenomenon of citizens' lack of trust in public authorities, as well as in the effectiveness of the state system for the protection and security of personal data, thus increasing the gravity of the violations attributed to the Minister. 114. When determining the amount of the administrative fine, the President of the Personal Data Protection Office took into account in favour of the Minister, as part of the premise concerning any other aggravating or mitigating factors applicable to the circumstances of the case (Article 83 paragraph 2 letter k of Regulation 2016/679), the fact that the above-mentioned took actions aimed at eliminating the effects of the infringements attributed to him. This is because the request sent to the Company on 12 May 2020 to submit a declaration on the permanent deletion of the data from the PESEL register and all copies thereof transferred to the Company on 22 April 2020 should be considered as such. Considering that the Company commenced the processes related to the deletion of data only on 15 May 2020, it can be assumed that it was the Minister's statement that initiated the Company's first actions in the above respect. Thus, this circumstance was deemed to be mitigating, i.e. having an impact on reducing the amount of the administrative fine imposed on the Minister.
115. The other circumstances indicated below, referred to in Article 83 paragraph 2 of Regulation 2016/679, after assessing their impact on the infringement found in this case, were deemed by the President of the Personal Data Protection Office to be neutral in his assessment, i.e. as having neither an aggravating nor a mitigating impact on the amount of the administrative fine imposed.
116. Actions taken to minimise the damage suffered by data subjects (Article 83 paragraph 2 letter c of Regulation 2016/679) In the context of this premise, the purpose of the controller's action, i.e. minimising the damage suffered by data subjects, is important. The President of the UODO did not note such actions of the Minister in this case, which is why he assessed this premise neutrally. This assessment is not changed by the fact that the Minister requested the Company to submit a declaration regarding the deletion of the personal data transferred to it, the consequence of which was the cessation of processing of this data by the Company. While the removal of the state of infringement of the provisions of Regulation 2016/679 could essentially lead to the cessation of the state of fear on the part of data subjects resulting from the loss of control over their data – these actions were not communicated to the public in any way, and therefore could not have the expected effect.
117. Degree of responsibility, taking into account the technical and organizational measures implemented by him under Article 25 and 32 of Regulation 2016/679 (art. 83 sec. 2 letter d of Regulation 2016/679)Due to the nature of the infringements of the provisions of Regulation 2016/679 identified in this case (disclosure of personal data from the PESEL register despite the lack of legal basis) – which infringements are not essentially related to the technical and organizational measures applied by the controller, but only to the assessment of the correctness of the Minister's interpretation of the provisions legalizing this processing – it should be assumed that the premise indicated in Art. 83 sec. 2 letter d) of Regulation 2016/679 has neither an aggravating nor attenuating effect on the amount of the administrative pecuniary penalty imposed. It is not relevant in the assessment of the infringement by the Minister of the provisions of Art. 5 sec. 1 letter a) and Art. 6 sec. 1 of Regulation 2016/679.
118. Degree of cooperation with the supervisory authority in order to eliminate the infringement and mitigate its possible negative effects (Article 83 paragraph 2 letter f of Regulation 2016/679) The President of the UODO would like to point out that the conduct of the Minister subject to punishment in this case, which by its nature was a one-off and irreversible action, essentially excluded the possibility of eliminating the infringements attributed to him. Moreover, on the date of initiation of these administrative proceedings, the personal data provided by the Minister were not processed by the Company, which deleted them without prior action or intervention on the part of the supervisory authority. Consequently, at this stage it is not possible to assess the degree of cooperation between the Minister and the President of the UODO in order to eliminate the infringement and mitigate its possible negative effects. The factual situation presented in this way cannot constitute an aggravating or mitigating circumstance when imposing sanctions.
119. The manner in which the supervisory authority learned of the infringement, in particular whether and to what extent the controller or processor reported the infringement (Article 83 paragraph 2 letter h of Regulation 2016/679) The supervisory authority learned of the infringement of the provisions of Regulation 2016/679 by the Minister as a result of complaints received from natural persons, also obtaining information from generally available media. Due to the fact that the unlawful conduct of the controller reported to the authority does not constitute a "breach of personal data protection" within the meaning of Article 4 point 12 of Regulation 2016/679 – i.e. a security breach leading to the accidental or unlawful destruction, loss, modification, unauthorised disclosure or unauthorised access to personal data transmitted, stored or otherwise processed – the Minister was not obliged to report it to the supervisory authority in the manner provided for in Article 33 of the discussed legal act. It should be pointed out that the provisions of Regulation 2016/679 do not impose a similar obligation on controllers in the event of a breach that does not result in a disruption of the security of the personal data being processed, which may affect the confidentiality, integrity or availability of such data. Thus, the manner in which the authority learned of the breach should be assessed as a neutral fact, irrelevant to the resolution of this decision.
120. If the controller concerned had previously been subject to measures referred to in Article 58 sec. 2 – compliance with these measures (art. 83 sec. 2 letter i of Regulation 2016/679) Before issuing this decision, the President of the UODO did not apply any measures specified in art. 58 sec. 2 of Regulation 2016/679 to the Minister in the case at hand, and therefore the Minister was not obliged to take any actions related to their application, and which actions, assessed by the supervisory authority, could have an aggravating or mitigating effect on the assessment of the identified infringement.
121. Application of approved codes of conduct under Article 40 or approved certification mechanisms under Article 42 (Article 83 paragraph 2 letter j of Regulation 2016/679) As of the date of the decision, the Minister had not applied approved codes of conduct or approved certification mechanisms referred to in the provisions of Regulation 2016/679. However, their adoption, implementation and application is not – as provided for in the provisions of Regulation 2016/679 – obligatory for controllers, and therefore the fact of their non-application cannot be considered to the detriment of the Minister in this case. On the other hand, the fact of adopting and applying such instruments as means guaranteeing a higher than standard level of protection of personal data processing could be considered to his advantage, but in the case at hand such a circumstance did not occur.
122. Financial benefits achieved directly or indirectly in connection with the infringement (Article 83 sec. 2 letter k of Regulation 2016/679) In the course of the proceedings, no impact of the infringement of the provisions of Regulation 2016/679 on the Minister's achievement of financial benefits or avoidance of losses was found. There is therefore no basis to treat this circumstance as an aggravating circumstance. The finding that there were measurable financial benefits resulting from the infringement of the provisions of Regulation 2016/679 should be assessed clearly negatively. On the other hand, the failure of the Minister to achieve such benefits, as a natural state, independent of the infringement and its effects, is a circumstance that by its nature cannot be mitigating. This interpretation is confirmed by the very wording of the provision of Article 83 sec. 2 letter k. k) Regulation 2016/679, which requires the supervisory authority to pay due attention to the benefits "achieved" - those that occurred on the side of the entity committing the infringement.
Determining the amount of the penalty using Guidelines 04/2022
123. In determining the amount of the administrative fine imposed on the Minister in this case, the President of the UODO applied, in a limited manner, the methodology adopted by the EDPB in Guidelines 04/2022. The limited scope of application of these guidelines for calculating penalties imposed on public authorities and entities results from the impossibility of adopting the turnover (revenues) of such an entity as a measure of its size allowing for the amount of the penalty to be moderated so that it is effective, proportionate and deterrent. As indicated by the EDPB in point 10 of its guidelines, where national law authorises supervisory authorities to impose administrative fines on public authorities and bodies, these guidelines apply to their calculation, with the exception of Chapter 4.3 of this document (“Turnover for the purposes of imposing an effective, dissuasive and proportionate fine”). Where national law provides for statutory maximum fines for public authorities and bodies (other than those resulting from Article 83 paragraphs 4-6 of Regulation 2016/679), Chapter 6 of the guidelines (“Legally determined maximum amount of the fine and liability of undertakings”) will not apply. Therefore, taking the above into account, the President of the UODO has calculated the fine imposed on the Minister as follows.
124. The President of the UODO has adopted the legally determined maximum amount of the fine that may be imposed on the Minister as – pursuant to Article 102 paragraph 1 item 1 of the UODO. – the amount of PLN 100,000, where this amount applies regardless of the provision of Regulation 2016/679 that the infringement concerns.
125. The President of the UODO categorised the infringement of the provisions of Regulation 2016/679 found in this case (see Chapter 4.1 of Guidelines 04/2022). Infringements of the provisions of both Article 5 and Article 6 of Regulation 2016/679 belong – in accordance with Article 83 paragraph 5 letter a) of Regulation 2016/679 – to the category of infringements punishable by the higher of the two penalties provided for in this legal act (with a maximum amount of up to EUR 20,000,000 or up to 4% of the turnover of the undertaking in the previous financial year). They are therefore in abstracto the “most serious” of the infringements provided for in Regulation 2016/679; they are more serious than the second group of infringements subject to administrative fines (specified in Article 83 paragraph 4 of Regulation 2016/679).
126. The President of the UODO assessed the infringement found in this case as a high level of seriousness (see Chapter 4.2 of Guidelines 04/2022). In this assessment, these premises were taken into account among those listed in Article 83 paragraph 2 Regulation 2016/679, which concern the material party of the infringement (they constitute the "seriousness" of the infringement), i.e.: the nature, gravity and duration of the infringement (Article 83 paragraph 2 letter a) of Regulation 2016/679), the intentional or unintentional nature of the infringement (Article 83 paragraph 2 letter b) of Regulation 2016/679) and the categories of personal data concerned by the infringement (Article 83 paragraph 2 letter g) of Regulation 2016/679). A detailed assessment of these circumstances has been presented above (see points 109, 110 and 112 of the justification). It should only be noted here that considering their combined effect on the assessment of the infringement found in this case, taken as a whole, leads to the conclusion that its level of seriousness (understood in accordance with Guidelines 04/2022) is high. The consequence of this is the adoption – as the starting amount for calculating the penalty – of a value ranging from 20% to 100% of the maximum amount of the penalty that can be imposed on the Minister (see point 60, third indent of Guidelines 04/2022), i.e. – taking into account the maximum amount of PLN 100,000 specified for public bodies and entities (see point 124 of the justification) – from PLN 20,000 to PLN 100,000. The President of the UODO considered the amount of PLN 90,000 (90% of the legally defined maximum amount of the penalty that can be imposed on the Minister) to be an adequate starting amount, justified by the circumstances of this case.
127. The President of the UODO assessed the impact on the established infringement of the other circumstances (apart from those taken into account above in the assessment of the seriousness of the infringement) indicated in Article 83, paragraph 2 Regulation 2016/679 (see Chapter 5 of Guidelines 04/2022). These circumstances, which may have an aggravating or mitigating effect on the assessment of the infringement, refer – as assumed by Guidelines 04/2022 – to the subjective side of the infringement (the entity itself that committed the infringement and its conduct before, during and after the infringement) and possibly to other circumstances that may be relevant to its assessment. A detailed assessment and justification of the impact of each of these premises on the assessment of the infringement have been presented above (see points 111 and 113-122 of the justification). At this point, it should only be pointed out that two of them had – in the opinion of the President of the UODO – an aggravating effect on the amount of the penalty imposed: relevant earlier infringements of the provisions of Regulation 2016/679, found by the President of the UODO (Article 83 par. 2 letter e) of Regulation 2016/679) and the negative effects of the infringement taking place in the general social sphere (Article 83 par. 2 letter k) of Regulation 2016/679). One premise, however, had a slight mitigating effect on the amount of the penalty – the voluntary action taken by the Minister in order to mitigate the negative effects of the infringement (Article 83 par. 2 letter k) of Regulation 2016/679). The remaining premises of Article 83 par. 2 (letters c), d), f), h), i) and j) of Regulation 2016/679) – as indicated above – had neither a mitigating nor an aggravating effect on the assessment of the infringement and, consequently, on the amount of the penalty. Therefore, due to the existence of additional circumstances in the case affecting the assessment of the infringement, and therefore on the amount of the penalty, the President of the UODO considered it justified to further correct the amount of the penalty established on the basis of the assessment of the seriousness of the infringement (see point 126 of the justification). In the opinion of the President of the UODO, a further increase in its amount – up to PLN 100,000, i.e. the legally defined maximum amount of the penalty that may be imposed on the Minister – would be adequate to the total impact on the amount of the penalty of all three of the above-mentioned grounds, which are significant for the assessment of the infringement.
128. In accordance with Article 83 sec. 1 of Regulation 2016/679, each supervisory authority shall ensure that administrative fines imposed for infringements of this Regulation are effective, proportionate and dissuasive in each individual case. On the other hand, Guidelines 04/2022 indicate that the last step in calculating the fine made in accordance with the methodology presented therein should be to analyse whether the final amount of the calculated fine meets these requirements and to increase or reduce the fine accordingly. In carrying out such an analysis in this case, the President of the UODO found that an administrative fine of less than PLN 100,000, imposed in these specific, individual circumstances of the case, would not meet any of the above requirements. In his assessment, such a fine would not be, firstly, proportionate to the very high seriousness of the infringement and the assessment of all the circumstances in which it was committed (see points 126 and 127 of the justification). It would also not be proportionate to the size of the administrator, who is a body managing a key ministry with significant material and human resources and – importantly – responsible for the security of the largest personal data bases in the country. Secondly, a penalty in the amount indicated above would not be an effective and deterrent penalty; in the opinion of the President of the UODO, it would not achieve the intended goals, i.e. to actually punish the Minister for his unlawful conduct and to discourage both him and other administrators from committing the same or similar violations in the future. It should be emphasised that the effectiveness and deterrent value of a financial penalty depends on its severity and the actual inconvenience to the punished entity. In the opinion of the President of the UODO, a penalty of less than PLN 100,000 would not be a really severe penalty for an authority such as the Minister of Digital Affairs. Taking the above into account, the President of the UODO stated that it would be inadmissible – in terms of the effectiveness, proportionality and deterrent nature of the penalty imposed – to impose on the Minister a penalty lower than PLN 100,000, i.e. lower than the maximum amount of the penalty provided for in art. 102 sec. 1 item 1 of the UODO. The President of the UODO is aware that a penalty of PLN 100,000 will not be a penalty that is really (measurably in financial terms) excessively burdensome for the Minister. However, imposing a penalty in the maximum possible amount should be an unambiguous expression of the President of the UODO’s definitely negative assessment of the infringement made by the Minister (authority). It is also worth emphasizing that the amount of the penalty imposed results exclusively from a significant (in relation to the general principles of administrative pecuniary penalties provided for in the provisions of Regulation 2016/679) limitation of the risk of penalty provided for public entities in art. 102 sec. 1 U.O.D.O. In the event of a fine being imposed on the Minister under the general threat specified in Article 83 paragraph 5 letter a) of Regulation 2016/679, this fine – due to the very high seriousness and highly reprehensible nature of the infringement – would have to be imposed in an amount many times exceeding PLN 100 000. Under general principles, the maximum threat of a fine for infringement of the principles regarding the processing of personal data specified in Article 5 of Regulation 2016/679 and Article 6 of Regulation 2016/679, in accordance with Article 83 paragraph 5 letter a) of Regulation 2016/679, would be EUR 20 000 000.
V.C. Justification for imposing and determining the amount of the administrative pecuniary penalty imposed on the Company
Penalty assessment grounds – application of Article 83 paragraph 2 of Regulation 2016/679
129. When deciding to impose an administrative pecuniary penalty on the Company, the President of the Personal Data Protection Office – pursuant to Article 83 paragraph 2 letters a) - k) of Regulation 2016/679 – took into account the following circumstances of the case, which constitute the necessity to apply this type of sanction in this case and have an aggravating effect on the amount of the administrative pecuniary penalty imposed.
130. The nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question, the number of data subjects affected and the extent of the damage they suffered (Article 83 paragraph 2 letter a) of Regulation 2016/679) The breaches attributed to the Company are of very high importance and exceptionally serious nature, expressed in the fact that they violate the basic principles of personal data processing, which are fundamental in the entire data protection system, defining its framework. It should be pointed out that Poczta Polska S.A., being a State Treasury company and at the same time the operator designated to provide universal services for the years 2016-2025 (see point 6 of the justification), should - in connection with the implementation of the public tasks entrusted to it - be distinguished by the utmost diligence and respect for the applicable provisions of law, including the provisions on personal data protection. In addition, as an entity designated by the Decision of the Prime Minister of 16 April 2020 to undertake and implement the necessary activities aimed at preparing for the holding of the elections of the President of the Republic of Poland in 2020 by correspondence, the Company, even before submitting to the Minister of Digital Affairs an application dated 20 April 2020 for the provision of personal data of voters from the PESEL register, should have conducted an in-depth analysis of the legality of such action, as well as the process of processing such data itself. This obligation, incumbent on every data controller under the provisions of Regulation 2016/679 (and the Company should undoubtedly be considered such in the established factual circumstances), was not in any way abolished by the state of epidemic in the country at that time. It should be noted that the right to legal protection of private life, which is enjoyed by all citizens, as well as the right to the protection of personal data – as rights guaranteed by the Constitution – were not subject to any restrictions in the analyzed context. It should be added that, in accordance with the Constitution of the Republic of Poland, even during martial law and a state of emergency, an act specifying the scope of restrictions on the freedoms and rights of a person and a citizen cannot limit the right to privacy (see Art. 233 sec. 1 of the Constitution of the Republic of Poland). The above requires that the nature of the violations attributed to the Company be assessed as aggravating, to a significant extent.
The President of the UODO also considers the scope of processing and the significant number of people affected by the violation to be an aggravating circumstance. In order to implement the PRM Decision of April 16, 2020, the Company illegally obtained from the PESEL register the personal data of all adults as of May 10, 2020, who at the time of data generation (i.e. April 22, 2020) had Polish citizenship registered in the PESEL register, were listed as living persons and for whom the indicated country of residence was Poland. Thus, the Company processed - without having a valid legal basis - information about approximately 30 million people with Polish citizenship, which in general constituted almost 80% of the country's population[14]. Although the scope of the analyzed processing was exclusively domestic (i.e. it did not extend beyond state borders), its huge scale, expressed in the processing of personal data of the vast majority of Polish society, requires that the Company be assessed as attributing the violation to be systemic, which significantly increases its significance. As already indicated in the part of the justification of this decision devoted to the reasons for imposing and determining the amount of the administrative fine imposed on the Minister of Digital Affairs (see point 109 of the justification), the supervisory authority did not find that the data subjects had suffered any material damage in connection with the identified infringements. Nevertheless, the very processing of personal data by the Company, despite the lack of a valid legal basis for doing so, gave rise to the possibility of non-material damage on the part of the data subjects, and in particular fears and uncertainty resulting from the inability to exercise control over their personal data. In particular, the persons whose data the Company processed in connection with the preparations for the elections of the President of the Republic of Poland in 2020 did not have any knowledge of how and whether such processing was carried out in accordance with the law. The significance of the premise under analysis is increased by the fact that the risk of non-pecuniary damage potentially concerned all (approximately) 30 million people whose personal data were on the DVD provided to the Company. Moreover, this risk materialized in relation to those people who filed complaints to the supervisory authority about irregularities in the processing of their personal data by the Minister and the Company, in connection with the organization of the elections for the President of the Republic of Poland, which were to be held on 10 May 2020.
The relatively short duration of the violations, i.e. from the moment of obtaining the disputed data from the PESEL register on 22 April 2020 until their complete deletion by the Company on 22 May 2020, should be considered to its advantage. However, taking into account the nature and gravity of the irregularities found, as well as the number of data subjects affected and the level of non-pecuniary damage they suffered, the premise specified in Article 83 paragraph 2 letter a) of Regulation 2016/679 – considered in its entirety – should be assessed as aggravating.
131. Intentional nature of the infringement of the provisions of Regulation 2016/679 by the Company (Article 83 paragraph 2 letter b of Regulation 2016/679) It should be emphasised that when analysing this premise, the President of the UODO was also bound, in accordance with 170 p.p.s.a., by the findings of the Provincial Administrative Court and the Supreme Administrative Court contained in the judgments referred to in points 11 and 12 of this decision. In view of the above, taking into account the factual findings made, the President of the UODO took the position that the Company decided to submit an application to the Minister of Digital Affairs on 20 April 2020 to provide its personal data from the PESEL register, and then processed this data, despite being aware of the risk of illegality of these actions - with which it accepted this state of affairs.
It should be indicated, in accordance with the position of the administrative courts expressed in the above-mentioned judgments, that on the date when the Company filed an application to transfer voter data from the PESEL register, the tasks related to ensuring the organizational, administrative, financial and technical conditions related to the organization and conduct of elections were the exclusive competence of the National Electoral Office. Although the provisions of the Act of 6 April 2020 on special rules for conducting general elections for the President of the Republic of Poland called in 2020 provided for the transfer of these tasks to the competences of the designated operator (i.e. the Company), it should be emphasized that this regulation entered into force only on 9 May 2020 – which means that by obtaining voter data from the PESEL register, the Company acted outside the law. Additionally, art. 102 point 4 u.s.i.w. abolished, during the period of the state of epidemic threat or the state of epidemic, when conducting general elections for the President of the Republic of Poland in 2020, the application of the provisions of the Electoral Code in the scope of, among others, postal voting referred to in art. 53a of this Code. Thus, it should be noted that from 18 April 2020 (i.e. from the moment art. 102 of the u.s.i.w. came into force) to 9 May 2020 (i.e. until the entry into force of the act on special rules for conducting general elections for the President of the Republic of Poland ordered in 2020), there were no statutory provisions enabling voting in these elections by correspondence.
The above circumstances were known to the Company. Firstly, the issue of the legality of conducting elections in the above-described procedure, as raising justified doubts, was commented on so widely in the public sphere that it cannot be assumed that the Company - as an entity directly involved in the organization of these elections - was not interested in the development of current events. In particular, it was the Company, being the addressee of the PRM Decision of 16 April 2020, that was to bear the first economic burden related to the implementation of the task entrusted to it. The Company's doubts as to its lack of competence in the scope described above are evidenced by the fact that the Company commissioned the preparation of three legal opinions in the context of the subject of the tasks and obligations and liability of the Members of the Company's Management Board, in connection with the implementation of the instruction contained in the PRM decision of 16 April 2020 (which circumstance the supervisory authority has already drawn attention to in point 89 of the justification). In this context, the content of the legal opinion of 23 April 2020, prepared in the Legal and Corporate Supervision Office of PP S.A., should be considered particularly important for the assessment of this premise. in which, it was pointed out that the Management Board Members have an obligation to act with due diligence in a situation in which the Act on special principles for conducting elections has not yet been adopted. In connection with this, it was recommended, among other things, to conduct an analysis of the decision (...) in terms of the justification for challenging it, in particular in the context of its compliance with the law. Taking into account the above-mentioned doubts of the Company - indisputable in view of the fact that the Company decided to seek a legal opinion in order to remove them - it is impossible to assume that the unlawful acquisition of voter data from the PESEL register was the result of an unconscious error of the Company as to the compliance of such processing with the law.
132. Any relevant previous infringements by the Company (Article 83 paragraph 2 letter e of Regulation 2016/679)
When deciding on the imposition and the amount of the administrative fine imposed on the Company, the President of the Personal Data Protection Office took into account, as an aggravating circumstance, the fact that the Company had previously violated the provisions of Regulation 2016/679. In connection with the impact of complaints from natural persons about irregularities in the processing of their personal data by the Company, the supervisory authority issued the following decisions in relation to it: - decision of September 22, 2020, reference number (...), stating the infringement of the provision of Article 12 paragraphs 3 and 4 in connection with Article 15 paragraph 1 letter b) of Regulation 2016/679, - decision of January 11, 2021, reference number (...), finding an infringement of the provisions of Art. 15 par. 1 letter c), Art. 15 par. 1 letter h) and Art. 15 par. 3 of Regulation 2016/679,- decision of 1 July 2021, reference number (...), finding an infringement of the provision of Art. 6 par. 1 of Regulation 2016/679,- decision of 7 March 2022, reference number (...), finding an infringement of the provision of Art. 6 par. 1 of Regulation 2016/679,- decision of 16 March 2022, reference number (...), finding an infringement of the provision of Art. 6 par. 1 of Regulation 2016/679,- decision of 20 September 2022, reference number (...), finding an infringement of the provision of Art. 6 par. 1 of Regulation 2016/679,- decision of 21 December 2022, reference number (...), finding an infringement of the provisions of Art. 6 par. 1, Art. 9 par. 1 and Art. 5 par. 1 letter a) of Regulation 2016/679,- decision of 26 January 2023, reference number (...), finding an infringement of the provisions of Art. 5 par. 1 letter c) and Art. 6 par. 1 of Regulation 2016/679,- decision of 2 February 2023, reference number (...), finding an infringement of the provisions of Art. 6 par. 1 of Regulation 2016/679,- decision of 2 February 2023, reference number (...), finding an infringement of the provisions of Art. 6 par. 1 of Regulation 2016/679,- decision of 29 June 2023, reference number (...), finding an infringement of the provision of Art. 6 par. 1 of Regulation 2016/679,- decision of 28 December 2023, reference number (...), finding an infringement of the provision of Art. 6 par. 1 in conjunction with Art. 5 par. 1 letter a) of Regulation 2016/679,- decision of 25 March 2024, reference number (...), finding an infringement of the provision of Art. 6 par. 1 of Regulation 2016/679,- decision of 10 July 2024, reference number (...), finding an infringement of the provision of Art. 6 par. 1 of Regulation 2016/679,- decision of 12 September 2024, reference number (...), stating a violation of the provision of art. 6 paragraph 1 of Regulation 2016/679,- decision of 27 November 2024, reference number (...), stating a violation of the provision of art. 9 paragraph 1 in connection with art. 5 paragraph 1 letter a) of Regulation 2016/679,
The above-mentioned earlier violations indicate the occurrence of serious problems in the Company's structures with the implementation of the obligations arising from the provisions of Regulation 2016/679. The Company was not able to demonstrate to the supervisory authority in the above-mentioned individual cases the legality of the processing or the proper implementation of the rights of data subjects - which resulted in the application of appropriate remedial measures against it. However, it should be noted that the previously identified violations (including those related to defective delivery of parcels or unlawful processing of personal data of the Company's employees) were mostly the result of human error and concerned the processing of personal data at the local level, and were therefore in no way related to the Company's activities assessed in these proceedings. In view of the above, they cannot be considered "relevant" previous violations within the meaning of Article 83 paragraph 2 letter e) of Regulation 2016/679.
Nevertheless, taking into account the position of the EDPB, according to which "all previous infringements may constitute information about the general approach of the controller or processor to compliance with the provisions of the GDPR" (see point 88 of the Guidelines 04/2022), the President of the UODO considered the Company's previous attitude - indicating existing difficulties in respecting the provisions on the protection of personal data - to its detriment, assuming that the identified previous infringements currently justify imposing an administrative fine on the Company. At the same time, however, the lack of a clear connection between the above-mentioned complaint cases and the present case required that the analyzed premise be considered as aggravating to an extent that did not significantly affect the amount of the imposed fine.
133. Categories of personal data concerned by the infringement (Article 83 paragraph 2 letter g of Regulation 2016/679) Considering the fact that a detailed assessment of the premise included in Article 83 paragraph 2 letter g of the Regulation g) Regulation 2016/679, was carried out by the supervisory authority in the part of the justification of this decision devoted to the reasons for imposing and determining the amount of the administrative fine applied to the Minister of Digital Affairs (see point 112 of the justification), and at the same time the scope of personal data obtained and processed by the Company in connection with the preparation for the elections of the President of the Republic of Poland in 2020 in correspondence mode fully coincides with the scope of data made available from the PESEL register by the Minister of Digital Affairs, the President of the UODO - in order to avoid unnecessary repetitions - refers to the analysis made therein. All arguments previously raised by the supervisory authority will be applied in relation to the infringements attributed to the Company. 134. When determining the amount of the administrative fine, the President of the UODO took into account in favour of the Company, under the premise concerning any other aggravating or mitigating factors applicable to the circumstances of the case (Article 83 paragraph 2 letter k of Regulation 2016/679), the fact that the infringement of the provisions of Regulation 2016/679 by the Company was remedied relatively quickly. As established, on May 15, 2020, the Company commenced activities related to the irreversible deletion of all personal data provided to it by the Minister of Digital Affairs – a process which it completed on May 22, 2020. The Company therefore restored the state in accordance with the law shortly after the purpose which, in the Company's opinion, justified obtaining personal data of voters from the PESEL register ceased to exist (i.e. after the Company's preparations for the general elections of the President of the Republic of Poland called in 2020, which were to be held on May 10, 2020, had been completed). The deletion of data by the Company was an action completely independent of the intervention of the supervisory authority, which speaks in favor of reducing the amount of the administrative fine imposed on the Company. The reduction carried out, however, takes into account the fact that the steps taken by the Company were not entirely spontaneous, but were related to the prior intervention of the Minister, who obliged the Company in writing to submit a declaration regarding the deletion of the personal data made available to it and all copies thereof. The aforementioned call on the Company to cease processing personal data obtained from the PESEL register – although it does not change the overall assessment of the analyzed premise, which should undoubtedly be considered a mitigating one – speaks in favor of assigning it less significance than it would have in a situation where the Company had proceeded to delete the data on its own initiative.
135. Other circumstances indicated below, referred to in Article 83 sec. 2 of Regulation 2016/679, after assessing their impact on the infringement found in this case, were considered by the President of the UODO to be neutral in his assessment, i.e. having neither an aggravating nor a mitigating effect on the amount of the imposed administrative fine.
136. Actions taken to minimize the damage suffered by data subjects (Article 83 paragraph 2 letter c of Regulation 2016/679) In the context of this premise, the purpose of the controller's action is important, i.e. to minimize the damage suffered by data subjects. The President of the UODO did not note this type of action by the Company in this case, which is why he assessed this premise neutrally. This assessment is not changed by the fact that the Company ultimately, i.e. after the declared purpose for which it processed the personal data of voters obtained from the PESEL register ceased to exist, permanently deleted this data and all copies thereof. While deleting the data could have eliminated the state of fear existing on the part of data subjects related to the fact of losing control over their personal data, the Company did not take any other actions that would directly aim to minimize the above damage. In view of the above, there is no basis for evaluating the analyzed premise in a manner other than that resulting from this decision.
137. Degree of responsibility, taking into account the technical and organizational measures implemented by it pursuant to Art. 25 and 32 of Regulation 2016/679 (art. 83 sec. 2 letter d of Regulation 2016/679)Due to the nature of the infringements of the provisions of Regulation 2016/679 identified in this case (processing of personal data from the PESEL register, despite the lack of legal basis) – which infringements are not essentially related to the technical and organizational measures applied by the controller, but only to the assessment of the correctness of the Company's interpretation of the provisions legalizing processing – it should be assumed that the premise indicated in Art. 83 sec. 2 letter d) of Regulation 2016/679 has neither an aggravating nor attenuating effect on the amount of the administrative pecuniary penalty imposed. It is not relevant in the assessment of the Company's infringement of the provisions of Art. 5 sec. 1 letter a) and Art. 6 sec. 1 of Regulation 2016/679.
138. Degree of cooperation with the supervisory authority in order to eliminate the infringement and mitigate its potential negative effects (Article 83 paragraph 2 letter f of Regulation 2016/679) The President of the Personal Data Protection Office indicates that on the date of initiation of these administrative proceedings, personal data obtained from the PESEL register were no longer processed by the Company. Consequently, at this stage it is not possible to assess the degree of cooperation between the Company and the President of the Personal Data Protection Office in order to eliminate the infringement and mitigate its potential negative effects. However, the fact that the Company voluntarily eliminated the infringement was taken into account in its favour in the assessment of the premise specified in Article 83 paragraph 2 letter k) of Regulation 2016/679.
139. How the supervisory authority learned of the breach, in particular whether and to what extent the controller or processor reported the breach (Article 83 paragraph 2 letter h of Regulation 2016/679)The supervisory authority learned of the Company's breach of the provisions of Regulation 2016/679 as a result of numerous complaints received from individuals and from information from publicly available media. Given the fact that the unlawful conduct of the controller reported to the authority does not constitute a "breach of personal data protection" within the meaning of Article 4 point 12 of Regulation 2016/679 – i.e. a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed – the Company was not obliged to report it to the supervisory authority in the manner provided for in Article 33 of the discussed legal act. It should be pointed out that the provisions of Regulation 2016/679 do not impose a similar obligation on controllers in the event of a breach that does not result in a disruption of the security of the personal data being processed, which may affect the confidentiality, integrity or availability of such data. Thus, the manner in which the authority learned of the breach should be assessed as a neutral fact, irrelevant to the resolution of this decision.
140. If the controller concerned had previously been subject to measures referred to in Article 58 sec. 2 – compliance with these measures (Article 83 paragraph 2 letter i of Regulation 2016/679) Before issuing this decision, the President of the UODO did not apply to the Company in the case at hand any of the measures listed in Article 58 paragraph 2 of Regulation 2016/679, and therefore the Company was not obliged to take any actions related to their application, and which actions, assessed by the supervisory authority, could have an aggravating or mitigating effect on the assessment of the identified infringement.
141. Application of approved codes of conduct under Article 40 or approved certification mechanisms under Article 42 (Article 83 paragraph 2 letter j of Regulation 2016/679) As of the date of the decision, the Company did not apply approved codes of conduct or approved certification mechanisms referred to in the provisions of Regulation 2016/679. However, their adoption, implementation and application is not - as provided for in the provisions of Regulation 2016/679 - mandatory for controllers, therefore the circumstance of their non-application cannot be considered to the Company's detriment in this case. On the other hand, the circumstance of adopting and applying such instruments as means guaranteeing a higher than standard level of protection of personal data processing could be considered to its advantage, however, in the case at hand such a circumstance did not occur.
142. Financial benefits achieved directly or indirectly in connection with the infringement (Article 83 sec. 2 letter k of Regulation 2016/679) In the course of the proceedings, no impact of the infringement of the provisions of Regulation 2016/679 on the Company's financial benefits achieved or losses avoided was found. There is therefore no basis to treat this circumstance as an aggravating circumstance. The finding that there were measurable financial benefits resulting from the infringement of the provisions of Regulation 2016/679 should be assessed clearly negatively. On the other hand, the failure of the Company to achieve such benefits, as a natural state, independent of the infringement and its effects, is a circumstance that by its nature cannot be mitigating. This interpretation is confirmed by the very wording of the provision of Article 83 sec. 2 letter k. k) Regulation 2016/679, which requires the supervisory authority to pay due attention to the benefits "achieved" - those incurred by the entity committing the infringement.
Determining the amount of the penalty using Guidelines 04/2022
143. In determining the amount of the administrative fine imposed on the Company in this case, the President of the UODO applied the methodology adopted by the EDPB in Guidelines 04/2022. In accordance with the instructions presented in this document, the President of the UODO carried out the penalty calculation process presented below.
144. The President of the Personal Data Protection Office adopted the value of the Company's turnover for 2024 presented by it in the declaration attached to the Company's letter dated 6 February 2025 as the basis for calculating the administrative fine. According to this document, the Company's turnover in 2024 (in the "previous financial year") amounted to PLN (...), which – when converted into euro (at the average euro exchange rate of 28 January 2025 – EUR 1 = PLN 4.2092 – adopted for this and all other currency conversions below in accordance with Art. 103 of the Personal Data Protection Office) – is the equivalent of EUR (...). In addition, the financial report for 2023 submitted by the Company, also attached to the letter dated 6 February 2025, shows that its turnover in that financial year amounted to PLN 6,593,890,000, and in 2022 – PLN 6,529,913,000.
145. The President of the UODO categorized the infringement of the provisions of Regulation 2016/679 found in this case (see Chapter 4.1 of Guidelines 04/2022). Infringements of the provisions of Article 5 and Article 6 of Regulation 2016/679 are – in accordance with Article 83 paragraph 5 letter b) a) Regulation 2016/679 – to the category of infringements punishable by the higher of the two penalties provided for in Regulation 2016/679 (with a maximum amount of up to EUR 20,000,000 or up to 4% of the company's turnover in the previous financial year). They are therefore in abstracto the "most serious" of the infringements provided for in Regulation 2016/679; they are more serious than the second group of infringements subject to administrative fines (specified in Article 83 paragraph 4 of Regulation 2016/679).
146. The President of the UODO has established a legally defined maximum amount of the fine that may be imposed on the Company in this case (for the infringement of Art. 6 par. 1 and Art. 5 par. 1 letter a) of Regulation 2016/679 assessed in this decision) – see Chapter 6.1 of Guidelines 04/2022. The provision of Art. 83 par. 5 letter a) of Regulation 2016/679 obliges the President of the UODO to determine whether the so-called "static maximum amount" (EUR 20 000 000) or the "dynamic maximum amount" (4% of the turnover from the previous financial year) will apply in the case, and to adopt the higher amount as the maximum amount that the administrative fine imposed in the case may not exceed. The value of 4% of the Company's turnover for the previous financial year is the amount of PLN (equivalent to EUR (…)). Since this amount is higher than the static maximum amount (EUR 20,000,000), the President of the UODO is obliged to accept it as the maximum, which he cannot exceed when imposing an administrative fine on the Company.
147. The President of the UODO assessed the infringement found in this case as a violation of a high level of seriousness (see Chapter 4.2 of Guidelines 04/2022). In this assessment, these premises were taken into account among those listed in Article 83 para. 2 Regulation 2016/679, which concern the material party to the infringement (they constitute the "seriousness" of the infringement), i.e.: the nature, gravity and duration of the infringement (Article 83 paragraph 2 point (a) of Regulation 2016/679), the intentional or unintentional nature of the infringement (Article 83 paragraph 2 point (b) of Regulation 2016/679) and the categories of personal data concerned by the infringement (Article 83 paragraph 2 point (g) of Regulation 2016/679). A detailed assessment of these circumstances has been presented above (see points 130, 131 and 133 of the justification). It should only be noted here that considering their combined effect on the assessment of the infringement found in this case, taken as a whole, leads to the conclusion that its level of seriousness (understood in accordance with Guidelines 04/2022) is high. The consequence of this is the adoption – as the starting amount for calculating the penalty – of a value ranging from 20% to 100% of the maximum amount of the penalty that may be imposed on the Company (see point 60, third indent of Guidelines 04/2022), i.e. – taking into account the dynamic maximum amount established for the Company (see point 146 of the justification) – from the amount of PLN ((...) (EUR) to the amount of PLN ((...) (EUR). The President of the UODO considered the amount of PLN (...) equivalent to EUR ((...) (% of the legally defined maximum amount of the penalty for the Company) to be an adequate starting amount justified by the circumstances of this case. 148. In accordance with the EDPB’s advice presented in point 66 indent (...) of Guidelines 04/2022 (referring to undertakings with an annual turnover of (...)), the President of the UODO did not consider it justified to use the possibility of reducing the starting amount based on the assessment of the high seriousness of the infringement, which possibility these guidelines (in Chapter 4.3) provide for undertakings of smaller size and economic power. The EDPB indicates therein that in the case of (...).
149. The President of the UODO assessed the impact on the established infringement of the other circumstances (apart from those taken into account above in the assessment of the seriousness of the infringement) indicated in Article 83 paragraph 2 of Regulation 2016/679 (see Chapter 5 of Guidelines 04/2022). These circumstances, which may have an aggravating or mitigating effect on the assessment of the infringement, refer – as assumed by Guidelines 04/2022 – to the subjective side of the infringement, i.e. to the entity itself that committed the infringement and to its conduct before, during and after the infringement, as well as to other circumstances relevant to the case. A detailed assessment and justification of the impact of each of these premises on the assessment of the infringement have been presented above (see points 132 and 134-142 of the justification). At this point, it should only be indicated that two of them had – in the opinion of the President of the UODO – an impact on the amount of the penalty imposed. The President of the UODO considered that the aggravating circumstance against the Company (although to a small extent) are the relevant earlier infringements of the provisions of Regulation 2016/679 identified by the President of the UODO (Article 83 paragraph 2 letter e) of Regulation 2016/679). On the other hand, a circumstance mitigating the amount of the penalty imposed (and this – in the opinion of the President of the UODO – significantly) is the fact that the Company relatively quickly remedied the infringement (Article 83 paragraph 2 (k) of Regulation 2016/679). The remaining premises of Article 83 paragraph 2 (letters c), d), f), h), i), and j) of Regulation 2016/679) – as indicated above – had neither a mitigating nor an aggravating effect on the assessment of the infringement and, consequently, on the amount of the penalty. Therefore, due to the existence of additional circumstances in the case affecting the assessment of the infringement, the President of the UODO considered it justified to further adjust the amount of the penalty determined on the basis of the assessment of the seriousness of the infringement (see point 147 of the justification). In the opinion of the President of the UODO, the combined impact of both of these premises on the assessment of the infringement is adequate to the further reduction of the fine by (…) % – to the amount of (…) PLN, which is equivalent to (…) euro. Such a significant reduction of the fine at this stage of its calculation is primarily the effect of the President of the UODO taking into account the relatively quick removal of the infringement by the Company. This action by the Company removed one of the purposes for which the administrative fine is to be imposed – the need to restore the state of affairs consistent with the law.
150. Despite the fact that the amount of the fine determined in accordance with the above principles does not exceed the legally defined maximum fine, the President of the Personal Data Protection Office considered that it requires additional correction due to the principle of proportionality listed in Article 83 paragraph 1 of Regulation 2016/679 as one of the three directives for the assessment of the fine (see Chapter 7 of Guidelines 04/2022). Undoubtedly, a fine in the amount of PLN (…) would be an effective penalty (due to its severity, it would allow to achieve its repressive purpose, which is to punish for unlawful conduct) and a deterrent (effectively discouraging both the Company and other controllers from committing such serious infringements of the provisions of Regulation 2016/679 in the future). However, a fine of this amount would be – in the opinion of the President of the Personal Data Protection Office – a disproportionate fine due to its excessive severity.
According to Guidelines 2016/679, fines: firstly “should not be disproportionate in relation to the objectives they serve” (point 138), secondly “should be proportionate to the infringement assessed as a whole, taking into account in particular the gravity of the infringement” (point 138), and thirdly should be proportionate “to the size of the undertaking to which the entity that committed the infringement belongs” (point 139). In addition, however, the principle of proportionality "requires that the measures adopted by the supervisory authority do not go beyond what is appropriate and necessary to achieve the legitimate objectives", and "where there is a choice of more appropriate solutions, the least onerous should be applied, and the resulting inconveniences may not be excessive in relation to the intended objectives" (points 137 and 139). In other words, as it is assumed in Polish doctrine, "[a] sanction is proportionate if it does not exceed the threshold of hardship determined by taking into account the circumstances of the specific case"[15]. It should be noted that the consideration of the least hardship of the sanction applied - the last of the above-mentioned aspects of the principle of proportionality (and only this aspect) - speaks in this case in favor of reducing the amount of the penalty imposed on the Company. When balancing the impact of the principle of proportionality (in all its aspects) on the penalty, and at the same time the need to maintain the effectiveness and deterrent nature of the penalty, i.e. all the requirements indicated by the EU legislator in Article 83 paragraph 1 of Regulation 2016/679 (which, it is worth emphasizing, are equivalent and equally important to each other), the President of the UODO took into account the special status of the Company, the context of its activities as a designated operator, as well as its current financial situation resulting in part from this context and the regulatory environment in which it operates.
The financial report for 2023, presented by the Company in the attached letter of 6 February 2025, shows that in 2022 the Company recorded a net loss of approximately PLN 5.7 million, and in 2023 a net loss of approximately PLN 621 million. For 2024, the Company did not submit a financial report to the President of the Personal Data Protection Office; as the Company indicated, the financial data is being audited by a certified auditor. However, according to the commonly known information presented publicly by the Secretary of State in the Ministry of State Assets (i.e. the ministry exercising ownership supervision over the Company), in the first half of 2024 the Company's loss amounted to approximately PLN 315 million[16], while in the whole of 2024 - approximately PLN 230 million[17]. These data undoubtedly indicate the poor financial situation of the Company. Such high losses of the Company are, among others - as emphasized by the representative of the Ministry of State Assets - "the result not only of changes in the postal market, but also years of neglect and terrible management, which resulted in the company's model not being adapted to the current challenges of the postal market"[18]. Their cause therefore lies largely with the Company; they are not the result of extraordinary events occurring in the Company's external environment. However, it should also be noted that the losses incurred by the Company also result from reasons beyond the Company's control - they are related to the obligation to provide universal postal services, which are not subject to free market conditions. Their provision, including setting their price and maintaining the necessary infrastructure, are strictly regulated by law and are subject to supervision by the Office of Electronic Communications, so as to ensure their availability, continuity and affordability. The President of the UODO is also aware that the Company's financial results in the period under review were affected by the delay in the State Treasury refinancing the net cost of the obligation to provide universal services incurred by the Company in 2021-2022, resulting from the need to notify it (as state aid) to the European Commission and the delay in this body issuing a decision on the compliance of the refinancing of this cost with EU rules on granting state aid. Ultimately, in 2024, the Company received an initial payment towards financing the net cost of the universal service obligation in 2021-2022 in the amount of approximately PLN 749 million, and in November of that year, the European Commission issued a decision confirming the compliance of state aid consisting in the financing of this cost by the Polish state in 2021-2025 with European Union law[19]. This decision undoubtedly helped to stabilize the Company's financial situation. Based on this, financing from the State Treasury in the total amount of approx. PLN 3.7 billion was paid (PLN 749 million in 2024) or is to be paid to the Company in the coming years, including approx. PLN 963 million in 2025 as financing of the net cost incurred for public services in 2023.
Analysing the financial situation of the Company in the context of assessing the severity of the penalty and its effects on the functioning of the Company, the President of the UODO notes the attempts currently undertaken to improve the financial condition of the Company, expressed in the implementation of remedial actions in the Company, including, among others: the adoption by the Management Board of the so-called Transformation Plan[20], termination of the Company Collective Bargaining Agreement with effect from 28 February 2025[21], implementation of the Voluntary Redundancy Program of the Company's employees adopted by resolution of the Company's Management Board on 7 January 2025[22]. These actions are aimed at, among others, reducing the costs of the Company's operations, including reducing costs ("optimization") of employment. Under the latter program alone, a reduction of approximately 8.5 thousand full-time positions is planned[23]. All these actions of the Company, undoubtedly necessary and justified by its financial situation, may affect the Company's performance of its public tasks; they may involve the risk of lowering the quality of the universal postal services it provides or disrupt the process of implementing the e-delivery system. The President of the UODO is aware that imposing an excessively onerous penalty on the Company in this situation would result in the materialization of this risk, which would result in negative consequences for both individual citizens and entire areas of the functioning of the state (public administration, justice, defense, etc.). A penalty that does not take into account the above-mentioned circumstances could also - by disrupting the Company's remedial processes - threaten its very existence, which - considering the size of the Company - would be associated with negative consequences on a large scale in the social sphere.
Taking into account the above circumstances, the President of the UODO considered that a penalty in the amount of PLN (…) (taking into account the high seriousness of the infringement, the size of the Company's enterprise and all the circumstances indicated in art. 83 sec. 2 of Regulation 2016/679, and at the same time undoubtedly having the values of effectiveness and deterrence) would be an excessively onerous penalty and therefore not in line with the principle of proportionality. The effect of reducing the Company's financial resources by this amount during the remedial process (which in itself requires the investment of additional funds, including to finance the Voluntary Redundancy Program) could be – in the opinion of the President of the UODO – the materialization of the risks indicated above for the implementation of public tasks performed by the Company. Therefore – having regard to the proportionality of the imposed penalty – the President of the UODO further reduced its amount – by (…) % in relation to the amount obtained after taking into account additional circumstances having an aggravating and mitigating effect on the amount of the penalty (see point 149 above), i.e. to the amount of PLN 27,124,816 (equivalent to EUR 6,444,174). In his opinion, such a determination of the final amount of the imposed penalty will not reduce its effectiveness and deterrent nature. This amount constitutes, in the opinion of the President of the Personal Data Protection Office, a certain threshold above which a further increase in the amount of the fine (and thus its severity) will not be associated with an increase in its effectiveness and deterrent nature. On the other hand, a greater reduction in the amount of the fine could be at the expense of its effectiveness, deterrent nature and proportionality to the seriousness of the infringement, as well as at the expense of the coherent application and enforcement of Regulation 2016/679 by the European supervisory authorities and at the expense of the principle of equal treatment of entities on the internal market of the EU and the EEA. For such a large entity as the Company, with such huge turnover and possibilities of financing liabilities (including the liability resulting from the sanction imposed in this decision), the fine in the above amount will be - in the opinion of the President of the Personal Data Protection Office - possible to pay without excessive detriment to its functioning and the performance of tasks resulting from its status as a designated operator. It constitutes only (…) % of the revenues generated by the Company in 2024. At the same time, its amount is only approx. (…) % of the legally defined maximum amount of the penalty that the Company may face for its infringement of the provisions of Regulation 2016/679. It is also worth noting that the amount of the penalty imposed on the Company is small in relation to financial transfers between the state budget and the Company for the financing of the net cost of the obligation to provide universal services alone; it constitutes only 2.8% of the amount that the Company has already received in this respect[24] in 2025 (PLN 963 million to cover the cost incurred in 2023).
151. The President of the UODO stated that the amount of the administrative fine determined in the manner presented above does not exceed – in accordance with Article 83 paragraph 3 of Regulation 2016/679 – the legally defined maximum amount of the fine provided for the most serious infringement (see Chapter 6 of Guidelines 04/2022). The infringements of both provisions of Regulation 2016/679 (Article 5 and Article 6) found in this case are subject to the same penalty of up to 4% of the Company's annual turnover from the previous financial year; these infringements should therefore be considered to be of the same seriousness within the meaning of Article 83 paragraph 3 of Regulation 2016/679. As indicated above, the "dynamic maximum amount" applies to the Company in this case, i.e. the amount of PLN (equivalent to EUR) – see point 146 of the justification. The amount of the penalty imposed jointly for the infringements of both provisions of Regulation 2016/679, determined in the manner presented in the above points – PLN 27,124,816 (equivalent to EUR 6,444,174) – clearly does not exceed the “dynamic maximum amount” specified for each of the infringements considered separately (“does not exceed the amount of the penalty for the most serious infringement” – in accordance with the literal wording of Article 83 paragraph 3 of Regulation 2016/679).
V.D. Summary
152. Taking into account the established factual circumstances and legal conditions, the President of the UODO – for the infringements of Article 5 paragraph 1 letter a) and Article 6 paragraph 1 of Regulation 2016/679 attributed to both controllers in these proceedings – imposed administrative fines on them. The penalty of PLN 100,000 imposed on the Minister of Digital Affairs was imposed on him on the basis of Article 83 paragraph 5 letter a) in connection with Article 83 paragraph 3 of Regulation 2016/679 and Article 102 paragraph 1 points 1 and 3 of the Personal Data Protection Act. In turn, the administrative fine of PLN 27,124,816 (equivalent to EUR 6,444,174) imposed on Poczta Polska S.A. was imposed on the Company on the basis of Article 83 paragraph 5 letter a) in connection with Article 83 paragraph 3 of Regulation 2016/679.
153. In the opinion of the President of the Personal Data Protection Act, the above-mentioned financial sanctions fulfil the functions of the penalty specified in Article 83 paragraph 1 of Regulation 2016/679 and constitute the most adequate and, above all, fair response of the supervisory authority to the identified infringements of the provisions of Regulation 2016/679. The imposition of administrative pecuniary penalties in the amounts determined by the supervisory authority is necessary and justified by the nature, gravity and other circumstances of the case, which the supervisory authority considered aggravating in the context of the infringements attributed to both the Minister and the Company. At the same time, the President of the UODO notes that the application to the above-mentioned controllers of any other remedial measure provided for in Art. 58 sec. 2 Regulation 2016/679, in particular limiting it to a warning (Article 58 paragraph 2 letter b) of Regulation 2016/679), would not be proportionate to the irregularities found in the processing of personal data and would not guarantee that these controllers would not commit further negligence in the future.
[1] See: - Announcement of the National Electoral Commission of 6 February 2020 on the number of voters included in the voter registers (M. P. of 2020, item 167),- data on the number of persons entitled to vote in the elections of the President of the Republic of Poland, which took place on 28 June 2020 (...),- (…)[2] Act of 30 August 2002 - The Code of Administrative Court Procedure (Journal of Laws of 2024, item 935, as amended), hereinafter referred to as: "p.p.s.a.".[3] Act of 14 June 1960 - The Code of Administrative Procedure (Journal of Laws of 2024, item 572), hereinafter referred to as: "Code of Administrative Procedure" or "k.p.a."; Art. 189g § 1 of this Act states: "An administrative fine may not be imposed if five years have passed since the date of the infringement of the law or the occurrence of the effects of the infringement of the law."[4] Pursuant to the decision of the President of the Office of Electronic Communications of 30 June 2015, reference number: DRP.WKP.710.2.2015.26,27, the Company was selected as the operator designated to provide universal services for the years 2016-2025 - see: (...)[5] See also: (...)[6] The Act of 24 September 2010 on the Population Register - in the wording applicable on the date of making the personal data in question available (i.e. 22 April 2020), hereinafter referred to as the "Population Register Act".[7] Guidelines 07/2020 of the European Data Protection Board on the concepts of controller and processor contained in the GDPR, version 2.0, adopted on 7 July 2021, hereinafter referred to as "Guidelines 7/2020".[8] Act of 26 June 1974 - the Labour Code (Journal of Laws of 2025, item 277), hereinafter referred to as the "Labour Code".[9]B. Adamiak, [in] B. Adamiak, J. Borkowski, Code of Administrative Procedure. Commentary, Warsaw 2004, p. 371.[10] See judgment of the Supreme Administrative Court of 4 August 2017, file ref. Act I OSK 1607/16, LEX No. 2345355, as well as A. Wróbel [in:] M. Jaśkowska, M. Wilbrandt-Gotowicz, A. Wróbel, Updated Commentary to the Code of Administrative Procedure, LEX/el. 2025, art. 78, together with the citation therein E. Iserzon, Commentary, 1970, p. 166. [11] See: Information of April 23, 2021 on the results of the audit conducted by the Supreme Audit Office in relation to the activities of selected entities in connection with the preparation of the general elections for the President of the Republic of Poland called for May 10, 2020 with the use of postal voting, pp. 41-42 (...). [12] See: Statistical Yearbook of the Republic of Poland 2021, prepared by the Central Statistical Office, p. 207 (...).[13] See: information made available on the website of the Sejm of the Republic of Poland, concerning vote no. 43 at the 9th session of the Sejm of the Republic of Poland (...).[14] See: Statistical Yearbook of the Republic of Poland 2021, prepared by the Central Statistical Office (...).[15] Commentary to art. 83 [in] P. Litwiński (ed.) General regulation on personal data protection. Personal data protection act. Selected sectoral provisions. Commentary. Commentary to art. 83. Legalis.[16] See Record of the course of the meeting of the Standing Subcommittee on Construction, Spatial Management and Housing and the Post Office (No. 9) of 22 January 2025 (p. 4) – available at (...).[17] See Stenographic Report of the 29th Session of the Sejm of the Republic of Poland on 21 February 2025 (second day of the session) (p. 230) – available at (...).[18] Ibidem.[19] See announcements available at (...) and (...).[20] See the Company announcement available at (...).[21] See the announcement of the OM NSZZ Pracowników Poczty Polskiej available at (...).[22] See the Company announcement available at (...).[23] See Stenographic Report of the 29th Session of the Sejm of the Republic of Poland on 21 February 2025 (second day of the session) (p. 231) – available at (...).[24] See the announcement of the Ministry of State Assets available at (...)
