Full inspection must be carried out
The President of the Personal Data Protection Office (UODO), after having conducted an administrative proceeding instituted ex officio in the case of imposition of an administrative fine, imposed a fine in the amount of PLN 100 000 on the Surveyor General of Poland (Główny Geodeta Kraju, GGK).
The President of the Personal Data Protection established that the Surveyor General of Poland violated the provisions of the General Data Protection Regulation (GDPR), where the breach consisted in failure to provide the supervisory authority during the conducted inspection with access to premises, data processing equipment and means, and access to personal data and information necessary for the President of the Office for the performance of its tasks. Furthermore, GGK did not cooperate with the President of the UODO during that inspection.
The President of the UODO is tasked with monitoring and enforcing the application of the GDPR. Within the scope of its competences, it conducts inter alia proceedings on the application of the provisions of the GDPR. For the performance of its tasks, the supervisory authority shall have a number of specific powers, including the right to obtain from the controller and the processor access to all personal data and to all information necessary for it, or the right to obtain access to any premises of the controller and the processor, including to any data processing equipment and means.
Moreover, the controller and the processor are obliged to cooperate with the supervisory authority in the performance of its tasks, as provided for in Article 31 of the GDPR.
An infringement of the provisions of the General Data Protection Regulation, consisting in failure to provide access to data and information by the controller or processor, shall result in a breach of the powers of the supervisory authority referred to in Article 58(1) of the GDPR. Therefore, the President of the UODO considered it reasonable to impose an administrative fine.
Let us remind you that at the beginning of March 2020, the President of the Personal Data Protection Office decided on the necessity to perform an inspection of the processing by the Surveyor General of Poland on the portal GEOPORTAL2 of personal data from the poviat land and property registers, about which it informed GGK in the letter indicating the scope and the date of the inspection. In order to perform the inspection activities, the inspectors authorised by the President of the UODO presented their official identity cards and submitted personal authorisations containing information on the scope of the inspection to GGK. The Surveyor General of Poland did not allow for performing full inspection activities resulting from the submitted authorisations. Giving the reasoning for its position, GGK indicated that, according to its assessment, it was apparent from the scope of the inspection indicated in the authorisations that the inspection was to cover the numbers of land and property registers which, in its opinion, do not constitute personal data within the meaning of the provisions of the Geodetic (Surveying) and Cartographic Law.
Finally, GGK signed the authorisations entering a written note on them stating that it refused to carry out the inspection aimed at establishing inter alia: the grounds for the processing (including disclosing on GEOPORTAL2) of personal data, the sources of such data, the scope and type of disclosed personal data, and the method and purpose of that disclosure. Furthermore, the note allows to conclude that the Surveyor General of Poland consented to the performance of the inspection activities in the scope of determining whether appropriate technical and organisational measures have been implemented to ensure an adequate level of security of the data being subject to protection, and whether GGK has appointed a Data Protection Officer. Unfortunately, due to the lack of access by the inspectors to the IT systems used by GGK and the necessary inspections of the IT system during the inspection it has not been established whether GGK has implemented appropriate technical measures to ensure data security. In view of the above, in the course of the inspection it was only established what organisational measures GGK used for data security and whether a Data Protection Officer was appointed.
An inspection protocol has been drawn up from the inspection activities carried out, which has been signed by the Surveyor General of Poland.
Due to the categorical lack of consent of GGK to carry out full inspection activities and the unambiguously expressed lack of will to cooperate, the inspectors could not determine how and on what legal ground - when providing information from the land and property registers via the GEOPORTAL2 online portal (geoportal.gov.pl) - it enable access to personal data contained in land and property registers and whether GGK has implemented appropriate technical measures to ensure data security. During the inspection, it was not possible to investigate what was the main subject of the inspection, because all operations could not be carried out. In this respect, the inspection was thwarted by the Surveyor General of Poland.
In addition, there is a separate proceedings pending before the President of the UODO in the case of a breach consisting in the processing of personal data in the form of the numbers of land and property registers on GEOPORTAL2 online portal without a legal basis.
The information on hindering the inspection by GGK and on issuing the decision by the President of the UODO is available (in Polish) on the website of the Office at: https: //uodo.gov.pl/pl/138/1483.
The full text of the decision is available (in Polish) at: https://uodo.gov.pl/decyzje/DKE.561.3.2020