Court case C 310/23 – Court Ruling (Poland, 2025)

A data subject applied for a loan with a Polish credit institution, the controller. After reviewing the loan conditions, they decided not to proceed and requested the cancellation of their application. Despite this cancellation, the data subject continued to receive marketing communications and alerts from the controller and related entities. The data subject objected to the processing of their personal data on multiple occasions and submitted requests under Article 15 GDPR to obtain information about which entities received their data, the purpose of sharing it, and the legal basis for processing. They also requested the deletion of their personal data. The controller did not respond adequately, providing unclear information or referring the data subject to third parties. As a result, the data subject lodged a complaint with the DPA. The DPA issued a final decision warning the controller for violating Article 6(1), Article 5(1)(b) and Article 5(1)(e) GDPR. The DPA also found that the controller failed to meet the obligations under Article 15(1) and Article 15(3) GDPR by providing incorrect information and failing to supply a copy of the personal data. Following the DPA’s decision, the data subject requested that the controller pay PLN3,000 (€709,95) in compensation and issue a written apology for violating their personal rights, including the right to privacy and protection of personal data. The court upheld the claim in its entirety, finding that the controller unlawfully violated the data subject’s personal right to privacy under Articles 23 and 24 of the Polish Civil Code, rather than directly under the GDPR. The court clarified that personal data, as defined under Article 4(1) GDPR, is not in itself a personal right, but the improper handling of specific personal data can constitute a violation of the right to privacy. The court explained that the burden of proof of the absence of unlawfulness lies with the defendant and proceed to assess whether the contro