Court case II SA/Wa 2227/19 – Court Ruling (Poland, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Polish court overturned a decision by the data protection authority regarding a company's mishandling of personal data. The court found that the GDPR did not apply because the data was not part of an organized filing system. This case highlights the importance of understanding when GDPR rules apply to data processing activities.
What happened
A Polish court ruled that GDPR did not apply to a case where personal data was shared in a public setting without being part of a structured filing system.
Who was affected
The individual whose personal data was read aloud in a public office setting by company employees.
What the authority found
The court decided that GDPR rules did not apply because the data was not processed as part of a filing system, as required under Article 2(1) GDPR.
Why this matters
This ruling clarifies that GDPR only applies to data processing that involves organized filing systems. Businesses should ensure they understand the scope of GDPR to avoid unnecessary compliance burdens.
GDPR Articles Cited
The data subject's complaint concerned irregularities in the process of processing of his personal data by the company. They consisted in making his personal data available to unauthorised persons. It was alleged that the company's employees - in the presence of third parties located in the MP's office (public place) - read, using the applicant's personal data, the content of the statement on termination of the employment contract. The applicant indicated that - after refusing to accept the termination - representatives of the company left an unsecured letter containing the termination in the presence of persons in the MP's office; therefore, the applicant requested that all actions be taken to rectify the violations indicated. President of the Personal Data Protection Office has decided that the provision of personal data to the applicant in the above mentioned way was done in violation of the provisions of personal data protection Article 5 (1) (c) and (f) of the GDPR. Both parties filed a complaint against the President of the Personal Data Protection Office decision with the Provincial Administrative Court for Warsaw. The court considered whether the Polish DPA correctly applied Article 5(1)(c) and (f) of the GDPR and whether the GDPR provisions would be applied at all in the given situation. The Provincial Administrative Court for Warsaw revoked the decision of the President of the Personal Data Protection Office. In its reasoning, the Court states that Article 2 (1) of the GDPR shall apply only "to the processing of personal data wholly or partly by automatic means and to the processing, other than by automatic means, of personal data which form part of a filing system or are intended to form part of a filing system". The Court stressed that under Article 4(6) of the GDPR, a data filing system is a structured set of personal data accessible according to specific criteria, whether that set is centralised, decentralised or dispersed on a functional or geo
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case II SA/Wa 2227/19 in PL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case II SA/Wa 2227/19 - Poland (2020). Retrieved from cookiefines.eu
Last updated: