Polish DPA imposes 100 000 PLN fine on the Surveyor General of Poland

Sep 1, 2020

Source: European Data Protection Board

Infringement of the principle of lawfulness of personal data processing and making intentionally available without a legal  basis on the GEOPORTAL2 (geoportal.gov.pl) of personal data in the form of land register numbers obtained from the land and property registers are the reason for imposing an administrative fine in the amount of PLN 100 000 on the Surveyor General of Poland (GGK).

Moreover, GGK must adapt the processing of personal data to the provisions of the GDPR by discontinuing making available on the GEOPORTAL2 portal (www.geoportal.gov.pl) of personal data in the scope of land register numbers obtained from the land and property registers (kept by the starostes).

The President of the UODO decided to carry out inspection activities at the Surveyor General of Poland at the beginning of March 2020. However, GGK prevented the possibility of examining the legality of publishing information on the land registers number on GEOPORTAL2. In the course of the inspection, it made available only documentation specifying the organisational measures applied to ensure the data security and the evidence proving the appointment of the Data Protection Officer. As a result, the President of the UODO imposed an administrative fine on GGK (https://uodo.gov.pl/en/553/1146). However, despite the refusal to carry out an inspection, GGK gave testimony which served as evidence in the present proceedings.

According to the testimony submitted, GGK publishes information obtained from land and property registers (including land register numbers) from 90 poviat starosties only on the basis of agreements concluded with them.

In accordance with Article 5(1)(a) of the GDPR, personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. The data is processed lawfully only in cases where at least one of the conditions indicated in Art. 6 GDPR is met.

In the course of the proceedings, GGK did not indicate a provision of law which would constitute the legal basis for its activity. Moreover, none of the legal provisions governing matters related to the activities of the Surveyor General of Polandallows it to make available data obtained from the starosties within the framework of GEOPORTAL2. In the opinion of the President of the UODO, the Surveyor General of Poland, aware of the lack of a clear legal basis for the processing of land registers numbers, concluded agreements with the starostes on the basis of which it obtained information from the land and property registers (including land registers numbers) kept by the starostes for the purpose of their publication on GEOPORTAL2. The supervisory authority considered that these agreements concerned the creation and maintenance of common elements of the technical infrastructure intended to store and make available certain data filing systems, but did not constitute a legal basis for making available the data, including land register numbers. Such a basis must result from commonly binding legal provisions.

Having regard to the above, the President of the UODO considered that personal data were made available in the form of land register numbers on GEOPORTAL2 without a legal basis. Such action results in infringement of Article 5(1)(a) and Article 6(1) of the GDPR. The doctrine of law represents the view that making personal data available from public fling systems in the absence of a clear legal basis relating to the operation of making personal data available is unlawful.

In this case, it is undeniable that the land register numbers processed on www.geoportal.gov.pl constitute personal data. According to the GDPR, ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The scope of data disclosed in the land register of natural persons includes, among others, names, surnames, parents’ names, PESEL number (personal identification number), property address. The publication of such data allows the identification of the person whose data is contained in the land register. By publishing land register numbers on Geoportal2, access to the information contained in them can be obtained by any interested Internet user. This type of situation may expose a very large number of people (data subjects) to theft of their identity.

When imposing a fine, the supervisory authority took into account not only the severity of the infringement, its nature and duration, but also the intentional character of the action.

To read the press release is Polish, click here.
To read the full decision in Polish, click here.
This press release can be seen as a follow up to an article previously posted here on the EDPB website.

For further information, please contact the Polish SA: http://kancelaria@uodo.gov.pl​​​​​​​

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA’s website or other channels of communication, the news item is only available in English or in the Member State’s official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Recent news

Position paper on GDPR Evaluation 2024

Position paper on GDPR Evaluation 2024

This paper highlights how, from the perspective of data protection practitioners, the business sector –
particularly small and medium-sized enterprises (SMEs) – can be better supported in meeting data
protection requirements within the context of increasing digitization.

read more