Skip to main content

Data posted on Facebook vs GDPR in the light of the Warsaw WSA judgement

|

What the exemption from the application of the Regulation due to private and domestic purposes is? Polish Regional Administrative Court gave an answer to this question by referring to CJEU’s jurisdiction ruled before the GDPR was in force.

Facts

The person who was a party to the proceedings, which ended with an injunctive relief, published the judgement on Facebook and, according to the other party, placed it behind the window of their car. The judgement remained visible on the website for no more than a month. Due to this fact, in May 2019, the other party, feeling aggrieved by it, filed a complaint to the President of the Office for Personal Data Protection about the unlawful processing of their personal data by the other party. It is significant in the case that both parties are related.

Consequently, the applicant requested the President of the Office for Personal Data Protection (Polish, PUODO or the President of the UODO) to order other party to refrain from publishing or making available in any form the applicant’s personal data contained in the court judgments and to impose an administrative fine on the other party and, additionally, requested the supervisory authority to use against the other party another remedial power provided for in Article 58 GDPR, appropriate to the infringement. The material collected by the President of the UODO showed that the publishing party did not conduct any business activity and that they published the judgment in the heat of the moment. The President of the UODO discontinued the proceedings. In doing so, he invoked Article 2(2)(c) GDPR and Recital 18 GDPR. He, therefore, concluded that there had been processing of personal data by an individual in the course of an activity of a purely personal or domestic nature. Using Recital 18 GDPR, he further specified that a purely personal or domestic activity is one which is unconnected with a professional or commercial activity. It may, for instance, consist of correspondence and the storage of addresses, the maintenance of social ties and online activities undertaken in the course of such activities.

 

Appeal to the Regional Administrative Court (Polish, WSA)

In March 2020, the applicant filed a complaint with the WSA in Warsaw against the above decision of the President of the UODO.

The applicant accused the PUODO of considering the posting of the judgment on Facebook and behind the car window as an activity of a purely personal nature and of failing to examine exhaustively the entirety of the material gathered in the case, among other things.

Also, she claimed that the supervisory authority failed to take into account the fact that the publication of the applicant’s personal data was made in the context of a public activity since the publication of her personal data was made during the election campaign for and in connection with those elections.

 

Assessment by the Regional Administrative Court

The WSA upheld the complaint. The Court stated that by issuing the appealed decision, the President of the UODO committed a breach of both the provisions of European law binding on Poland and the regulations of national law to a degree which significantly affected the final outcome of the case. The Court noted that an analogous exemption was formulated in Article 3(2), second indent, of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31). This allowed the Court to consider as up-to-date the case-law of the Court of Justice of the European Union in relation to this standard and, consequently, to adopt the interpretation of the CJEU concerning this provision. Thus, the Court assumed that the exclusion currently referred to in Article 2(2)(C) GDPR must be interpreted as covering only activities which fall within the private or family life of the individual, which is clearly not the case for the processing of personal data consisting in publishing them on the Internet in such a way that it becomes accessible to an unlimited number of people (C-101/01, para 43). In addition, where the processing [of personal data] extends even partly into the public sphere and is, thus, directed beyond the private sphere of the person who carries out the processing in this way, it should not be understood as an act of a purely ‘personal or domestic’ nature (C-212/13, para 33). Moreover, the Court quoted the opinion of the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established under Article 29 of the quoted Directive 95/46/EC. With regard to social networks, the WP found, inter alia, that, in principle, the processing of personal data carried out on social networks by their users fell within the scope of activities of a purely personal or domestic nature, unless, for example, the data were accessed by people other than the user’s own chosen contacts. In the Court’s view, therefore, while Recital 18 GDPR points to online activities, including the use of social networks, as exempted from the GDPR regime, this exemption is not absolute, following in any situation and for any non-commercial activity of the user on the Internet, but narrowing down to those factual situations in which the processing of data, in particular making them available via the Internet, does not take place for the benefit of an unlimited circle of recipients. The Court went on to hold that activities of a personal or domestic nature, therefore, generally concern aspects of activity relating to the running of a household, spending holidays, including mementos from them such as photographs or videos, consumption or sporting activities. Hence, this also includes publishing data on social networks. However, the processing of data on the social networking site Facebook, where the data are or may also be accessed by people other than those who have been independently selected by the user, cannot be regarded as covered by the exemption.

 

Summary

In its judgment, the Regional Administrative Court in Warsaw clarified the meaning of the exemption from Article 2(2)(C) GDPR and the phrase of purely personal or domestic activities used in Recital 18 GDPR. The Court included activities relating to aspects of activities of running a household, spending holidays, including mementos from them such as photographs or videos, consumption or sporting activities. In addition, these activities include posting on a social networking site. However, the exclusion provided for by Article 2(2)(C) and Recital 18 GDPR does not arise in every case where family members who do not carry out economic activities but who engage in online activities are involved. However, the Court focused not on the fact that the aggrieved party was a candidate for public office, but on the fact that the applicant did not choose the circle of recipients which her personal data reached, stressing that the extent of the publication of the data and the scope of the circle of recipients of that data are questionable. The judgement is not final.

 

Article provided by INPLP member: Justyna Matuszak-Lesny (e|s|b Legal, Poland)

 

 

Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}