Poland's data protection authority, the Urząd Ochrony Danych Osobowych, fined the Surveyor General of Poland PLN 100,000 for violations of Articles 5(1) and 6(1) of the EU General Data Protection Regulation in relation to improper data processing.
Poland's data protection authority, the Urząd Ochrony Danych Osobowych, fined the Surveyor General of Poland PLN 100,000 for violations of Articles 5(1) and 6(1) of the EU General Data Protection Regulation in relation to improper data processing.
100 thousand PLN fine for GGK
Illustrative photo
Violation of the principle of lawfulness of the processing of personal data and the provision of personal data intentionally without a legal basis on the GEOPORTAL2 portal in the form of land and mortgage register numbers obtained from the land and building records are the reason for imposing an administrative fine on the Chief Surveyor of the Country in the amount of PLN 100,000. zlotys.
In addition, the GGK must adjust personal data processing operations to the provisions of the GDPR by ceasing to provide personal data on the GEOPORTAL2 portal (www.geoportal.gov.pl) regarding the numbers of land and mortgage registers obtained from the land and building register (kept by starosts).
The President of the Personal Data Protection Office (UODO) decided to conduct inspections at the Chief National Surveyor at the beginning of March 2020. However, GGK prevented the possibility of examining the legality of publishing information on land and mortgage register numbers on GEOPORTAL2. During the inspection, it only provided documentation specifying organizational measures used to ensure data security and evidence confirming the appointment of a data protection officer. As a result, in this case, the President of the Personal Data Protection Office imposed an administrative fine on the GGK ( https://uodo.gov.pl/pl/138/1602 ). Despite the refusal to carry out the inspection, GGK gave testimony, which served as evidence in these proceedings.
The testimonies show that the GGK publishes information obtained from the land and building register (including land and mortgage register numbers) from 90 poviat starosties only on the basis of agreements concluded with them.
Pursuant to Art. 5 sec. 1 lit. a GDPR, personal data must be processed lawfully, fairly and in a transparent manner for the data subject. The data is processed lawfully only in cases where at least one of the conditions set out in art. 6 GDPR.
In the course of the conducted proceedings, GGK did not indicate a legal provision that would constitute the legal basis for its operation. Moreover, none of the provisions regulating the issues related to the activities of the Chief National Surveyor allows him to share data obtained from starosties under GEOPORTAL2. In the opinion of the President of the Personal Data Protection Office, the Chief Surveyor of the Country, being aware of the lack of a clear legal basis for processing land and mortgage register numbers, concluded agreements with starosts, on the basis of which he obtained information from the land and building records (including land and mortgage register numbers) kept by starosts in order to publication on GEOPORTAL2. The supervisory authority found that these agreements concerned the creation and maintenance of common elements of the technical infrastructure for the storage and access to specific data sets, However, they did not constitute a legal basis for disclosing data, including land and mortgage register numbers. Such a basis must result from the generally applicable provisions of law.
Considering the above, the President of the Personal Data Protection Office decided that personal data in the form of land and mortgage register numbers was shared on GEOPORTAL2 without a legal basis. Such action results in a breach by the Chief National Surveyor of Art. 5 sec. 1 lit. a and art. 6 sec. 1 GDPR. The legal doctrine represents the position that disclosing personal data from public files in the absence of an explicit legal basis relating to the sharing operation is unlawful.
In this case, it is undeniable that the numbers of land and mortgage registers processed on the website www.geoportal.gov.pl constitute personal data. According to the GDPR, "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of an identifier such as name and surname, identification number, location data, internet identifier or one or more specific physical, physiological, genetic, mental factors, the economic, cultural or social identity of a natural person.
The scope of data disclosed in the land and mortgage register of natural persons includes, inter alia, names, surnames, parents' names, PESEL number, real estate address. Publishing such data makes it possible to identify the person whose data is included in the land and mortgage register. By publishing land and mortgage register numbers on Geoportal2, any interested Internet user can access the information contained therein. This type of situation may expose a very large number of data subjects to identity theft.
When imposing a financial penalty, the supervisory authority took into account not only the gravity of the infringement, its nature and duration, but also the intentional nature of the action.
100 thousand PLN fine for GGK
Illustrative photo
Violation of the principle of lawfulness of the processing of personal data and the provision of personal data intentionally without a legal basis on the GEOPORTAL2 portal in the form of land and mortgage register numbers obtained from the land and building records are the reason for imposing an administrative fine on the Chief Surveyor of the Country in the amount of PLN 100,000. zlotys.
In addition, the GGK must adjust personal data processing operations to the provisions of the GDPR by ceasing to provide personal data on the GEOPORTAL2 portal (www.geoportal.gov.pl) regarding the numbers of land and mortgage registers obtained from the land and building register (kept by starosts).
The President of the Personal Data Protection Office (UODO) decided to conduct inspections at the Chief National Surveyor at the beginning of March 2020. However, GGK prevented the possibility of examining the legality of publishing information on land and mortgage register numbers on GEOPORTAL2. During the inspection, it only provided documentation specifying organizational measures used to ensure data security and evidence confirming the appointment of a data protection officer. As a result, in this case, the President of the Personal Data Protection Office imposed an administrative fine on the GGK ( https://uodo.gov.pl/pl/138/1602 ). Despite the refusal to carry out the inspection, GGK gave testimony, which served as evidence in these proceedings.
The testimonies show that the GGK publishes information obtained from the land and building register (including land and mortgage register numbers) from 90 poviat starosties only on the basis of agreements concluded with them.
Pursuant to Art. 5 sec. 1 lit. a GDPR, personal data must be processed lawfully, fairly and in a transparent manner for the data subject. The data is processed lawfully only in cases where at least one of the conditions set out in art. 6 GDPR.
In the course of the conducted proceedings, GGK did not indicate a legal provision that would constitute the legal basis for its operation. Moreover, none of the provisions regulating the issues related to the activities of the Chief National Surveyor allows him to share data obtained from starosties under GEOPORTAL2. In the opinion of the President of the Personal Data Protection Office, the Chief Surveyor of the Country, being aware of the lack of a clear legal basis for processing land and mortgage register numbers, concluded agreements with starosts, on the basis of which he obtained information from the land and building records (including land and mortgage register numbers) kept by starosts in order to publication on GEOPORTAL2. The supervisory authority found that these agreements concerned the creation and maintenance of common elements of the technical infrastructure for the storage and access to specific data sets, However, they did not constitute a legal basis for disclosing data, including land and mortgage register numbers. Such a basis must result from the generally applicable provisions of law.
Considering the above, the President of the Personal Data Protection Office decided that personal data in the form of land and mortgage register numbers was shared on GEOPORTAL2 without a legal basis. Such action results in a breach by the Chief National Surveyor of Art. 5 sec. 1 lit. a and art. 6 sec. 1 GDPR. The legal doctrine represents the position that disclosing personal data from public files in the absence of an explicit legal basis relating to the sharing operation is unlawful.
In this case, it is undeniable that the numbers of land and mortgage registers processed on the website www.geoportal.gov.pl constitute personal data. According to the GDPR, "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of an identifier such as name and surname, identification number, location data, internet identifier or one or more specific physical, physiological, genetic, mental factors, the economic, cultural or social identity of a natural person.
The scope of data disclosed in the land and mortgage register of natural persons includes, inter alia, names, surnames, parents' names, PESEL number, real estate address. Publishing such data makes it possible to identify the person whose data is included in the land and mortgage register. By publishing land and mortgage register numbers on Geoportal2, any interested Internet user can access the information contained therein. This type of situation may expose a very large number of data subjects to identity theft.
When imposing a financial penalty, the supervisory authority took into account not only the gravity of the infringement, its nature and duration, but also the intentional nature of the action.
