Court case II SA/Wa 1340/20 – Court Ruling (Poland, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Polish court upheld a decision that a car rental company unlawfully kept a customer's personal data without a valid reason. The company claimed it needed the data for potential legal claims, but the court disagreed. This ruling emphasizes the importance of having a legitimate reason for holding personal data.
What happened
A car rental company was ordered to delete a customer's personal data due to lack of a valid processing basis.
Who was affected
A customer who rented a car and whose personal data was retained by the company.
What the authority found
The court upheld the decision that the company had no valid reason to keep the customer's data under GDPR.
Why this matters
This case underscores the necessity for businesses to have a clear and valid reason for retaining personal data. Companies should regularly review their data retention policies to ensure compliance with GDPR.
GDPR Articles Cited
An individual lodged a complaint with the supervisory authority against the company, claiming that the company had unlawfully processed his personal data in connection with a car rental contract (including by means of a copy/scan of his identity card and driving licence). The company stated that it obtained the complainant's personal data from the complainant himself in connection with the conclusion of the car rental agreement, including his first name, surname, address, identity card number, driving licence number and telephone number, which it currently processes in its IT system designed for comprehensive servicing of car rental companies. The company submitted that it currently processed the complainant's personal data solely for the purpose of possibly establishing, investigating or defending against claims related to the car rental, on the basis of Article 6(1)(f) GDPR. Following an administrative investigation, the supervisory authority ordered the company to delete the complainant's personal data in terms of name, surname, address, identity card number, driving licence number. The DPA questioned the basis indicated by the Company for processing the complainant's personal data, as it did not appear from the evidence that the complainant had filed a claim against the Company or that the Company had asserted any claims against the complainant in court that would justify the Company's right to retain and process the complainant's personal data in connection with its safeguarding and assertion by the complainant or the Company. The Company appealed to the court. The court dismissed the controller's appeal against the supervisory authority's decision. The court pointed out that the legal basis for the processing of personal data listed in the provision of Article 6(1)(f) GDPR applies when the controller does not have the consent of the data subject, there is no provision which could constitute a basis for the processing of personal data, and when the controller
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case II SA/Wa 1340/20 in PL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case II SA/Wa 1340/20 - Poland (2021). Retrieved from cookiefines.eu
Last updated: