Court case III OSK 4727/21 – Court Ruling (Poland, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Polish Supreme Administrative Court agreed with the DPA that a healthcare institution should delete a former employee's data from its computer. The court found no legal reason to keep the data just in case it might be needed for future claims. This decision underscores the importance of not holding onto personal data without a clear legal basis.
What happened
The court upheld a decision requiring a healthcare institution to delete a former employee's personal data from its systems.
Who was affected
The affected individual was a former employee whose personal data was stored by the healthcare institution.
What the authority found
The court found no legal justification for the healthcare institution to keep the former employee's data for potential future claims.
Why this matters
This case highlights that organizations cannot retain personal data without a valid reason, reinforcing the need for clear data retention policies. Businesses should ensure they have a legitimate basis for storing personal data.
GDPR Articles Cited
The Polish DPA issued a decision ordering a health care institution to delete the personal data of a former employee stored on the hard drive of the company computer which he used during his employment. The DPA concluded that, in the present case, none of the prerequisites of Article 6(1) and Article 9(2) GDPR authorising the health care institution to process the complainant's personal data after termination existed. The health care institution argued that it needed to process the personal data of former employees in order to defend itself against possible civil claims, but the DPA explained that such a reason does not have legal justification as a basis for processing under the GDPR. Personal data cannot be processed 'as a back-up' with the assumption that the data may be useful in the future, and stored up until the statute of limitations for civil law claims. The DPA held that there were no grounds entitling the employer to process the data to defend itself from hypothetical claims in the future. This decision was appealed by the health institution to the Voivodship Administrative Court in Warsaw, which dismissed the complaint. The appellant further appealed against the judgment to the Supreme Administrative Court and requested that the contested decision be suspended. The appellant claimed that it was necessary to suspend the execution of the contested decision, since its execution would produce effects for the applicant which are impossible to reverse (via the destruction of potential evidence). The Polish Supreme Administrative Court sided with the Polish DPA, and held that the appellant did not prove premises justifying the suspension of the execution order of the appealed decision issued by the DPA. It held that reference to the processing of the complainant's personal data in order to defend against any claims is not legally justified and does not constitute a premise entitling to the processing of personal data. In the opinion of the Court, the risk of
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case III OSK 4727/21 in PL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case III OSK 4727/21 - Poland (2021). Retrieved from cookiefines.eu
Last updated: