Court case III OSK 4727/21 – Court Ruling (Poland, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Polish court ruled that a health care institution must delete a former employee's data stored on a computer. The court found that the institution had no valid reason to keep this data after the employment ended. This decision reinforces the importance of data deletion when it's no longer needed.
What happened
The court ordered a health care institution to delete a former employee's personal data that was improperly retained.
Who was affected
The former employee whose data was stored and processed after their employment ended.
What the authority found
The court upheld the DPA's decision that the health care institution lacked a legitimate interest to keep the employee's data after the employment relationship ceased.
Why this matters
This ruling stresses that organizations must delete personal data when it is no longer necessary. Companies should regularly review their data retention policies to comply with privacy regulations.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A former employee of a health care institution filed a complaint with the Polish DPA (UODO). The employee (a data subject) claimed the health care institution (a controller) unlawfully processed their data stored on their business computer hard drive. For the data subject, there was no legal basis to process their data after the employment relationship ceased. Consequently, the data subject asked for deletion of their data. The DPA ordered deletion of personal data by the controller. According to the DPA, the controller didn’t have legitimate interest under Article 6(1)(f) GDPR to process the data. Although the controller argued the data were necessary for defence of legal claims, the claims were of hypothetical nature. Thus, the controller processed the data in advance. The controller brought an appeal with the Voivodeship Administrative Court of Warsaw (Wojewódzki Sąd Administracyjny w Warszawie). The appeal was dismissed. The court found no evidence that processing of the data at stake was necessary for the purpose of controller’s legitimate interest. The court emphasised that purely theoretical, future claims cannot justify data processing once the employment relation came to an end under conciliatory agreement (mutual consent of the parties . Hence, the DPA’s decision was upheld. The controller lodged a cassation appeal before the Supreme Administrative Court (Naczelny Sąd Administracyjny – NSA). The Supreme Administrative Court upheld the cassation appeal. The court of first instance failed to hear the case properly. The appeal was not thoroughly assessed and not all the controller’s statements against the DPA decisions were answered. In particular, the court of first instance didn’t identify the category of data processed by the controller, nor the data stored on the hard drive. It remained unknown whether the hard drive contained also data of other individuals. Moreover, the court of first instance didn’t explain in detail why the controller was not
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (1)
Other cases involving Court case III OSK 4727/21 in PL
Details
About this data
Cite as: Cookie Fines. Court case III OSK 4727/21 - Poland (2024). Retrieved from cookiefines.eu
Last updated: