Ikonka home dla okruszków News and events
photo
07.02.2025

Improper delivery of court mail. The President of the Polish SA lodges a cassation appeal

The case concerns a violation of personal data as a result of the delivery of a damaged and incomplete court mail by a postal operator. The Voivodeship Administrative Court in Warsaw ruled that it is a problem of the administration of justice, which means that it cannot be assessed by the President of the Personal Data Protection Office. The President of the Personal Data Protection Office appealed this judgment to the Supreme Administrative Court.

In the opinion of the President of the Office for Personal Data Protection, leaving this judgment of the Voivodship Administrative Court in force may lead to the situation that persons affected by a similar data breach will remain without legal protection guaranteed by the provisions of the Constitution of the Republic of Poland.

Due to the importance of the legal problem and doubts regarding the interpretation of EU law, the President of the Personal Data Protection Office requested the Supreme Administrative Court to consider referring a preliminary question to the CJEU. The authority requested that three such questions be asked, and the answers obtained will allow to determine: 1) whether such cases are part of the so-called administration of justice, 2) whether they constitute technical (administrative) acts, 3) the determination of the competent supervisory authority (in the absence of competence provisions for the judicial supervisory authority in cases concerning the acceptance of data protection breach notifications).

Case history

The President of the Personal Data Protection Office, following the proceedings, issued a decision dated 19 December 2023, in which he found a breach of the provisions of the GDPR by the district court:

1) consisting in failing to notify the President of the Personal Data Protection Office of a personal data protection breach without undue delay, no later than 72 hours after the breach was discovered,

2) consisting in the failure to notify, without undue delay, data subjects of a personal data protection breach.

In addition, the authority, by virtue of this decision, imposed on the District Court, for violation of Article 33(1) and (3) and Article 34(1) and (2) GDPR, an administrative fine of PLN 10,000 and ordered it to notify, within 3 days from the date of receipt of the indicated decision, the persons whose data were contained on the documents in the damaged postal parcel of the violation of the protection of their personal data in order to provide them with the information required pursuant to Article 34(2) GDPR.

 

The Voivodeship Administrative Court reversed the decision and discontinued the proceedings before the President of the Personal Data Protection Office, holding that in the case of judicial correspondence, the President of the Personal Data Protection Office is not competent to deal with the case because, in the opinion of the court, this falls under the notion of the so-called ‘administration of justice’, which is excluded from the competence of the supervisory authority pursuant to Article 55(3) of the GDPR.

The Voivodeship Administrative Court attempted to define the concept of administration of justice, paying particular attention to the independence of judges. It pointed out, inter alia, that ‘the legal framework for the processing of personal data by judges is constituted by the relevant legal provisions. Indeed, the powers concerning the processing of personal data (jurisprudential data) are related to the specificity of the judicial process, in which independent judges act as persons appointed to exercise the administration of justice and conduct specific judicial proceedings'. The Voivodeship Administrative Court also pointed out that ‘the independent exercise of justice includes actions performed on the order of a judge in a specific court case, related to the service of pleadings on the parties, including - as in the present case - a copy of the statement of claim with the relevant instructions and attachments. Indeed, it is a procedural act of an independent judge which is part of the management of the adjudication process. The copy of the writ of summons is a court letter that is directly related to the court proceedings, the service of which, in the light of the applicable legislation, is formalised.’ In addition, the Court, in assessing the contested decision, pointed out that the authority had failed to gather complete material in the case and had also incorrectly established that there had been a breach of personal data protection.

Significance of the case

The President of the Personal Data Protection Office disagrees with this ruling and has therefore filed a cassation complaint with the Supreme Administrative Court.

It should be recalled that the incident concerns damaged and incomplete correspondence delivered through the postal operator, which means that the confidentiality and availability of the data may have been breached (i.e. correspondence that has left the court and for the contents of which the district court is responsible as administrator).

 The President of the Personal Data Protection Office, contrary to the assertion of the Voivodeship Administrative Court, in the case in question did not interfere in the administration of justice, but assessed the actions of the data controller, primarily intervening in the disclosure of personal data as a result of incorrectly delivered correspondence. It is difficult to consider that the control of the controller's actions in dealing with a personal data breach in the delivery of the mail could influence the decision-making of the members of the panel.

The service of judicial correspondence belongs to the administrative activities of the courts and not to the administration of justice. The activities of the court do not extend to the activities of the postal operator. Adoption of the position presented by the Voivodeship Administrative Court would lead to the conclusion that the postal operator delivering court correspondence is also exercising the administration of justice, and this, after all, finds no legal justification.

The Voivodeship Administrative Court therefore incorrectly assessed the problem in this case. It focused exclusively on the procedural aspect of the issue, and completely disregarded the right to the protection of the personal data of the persons affected by the breach that occurred as a consequence of the postal operator's action.

What is relevant here is that, following errors on the part of the postal operator, the confidentiality of the data contained in the court correspondence has been breached, which constitutes a breach of personal data protection and requires the district court, as the controller of the data contained in that correspondence, to take the necessary steps to properly comply with the obligations set out in Articles 33 and 34 of the GDPR. The President of the Personal Data Protection Office is required to assess how the district court, as controller, has discharged those obligations - and in this case it has not.

If one were to classify the entire incident as part of the administration of justice, the matter would fall under the judicial supervisory authorities. However, these, under the law on the establishment of courts of justice, do not have the power to investigate data security, nor to receive and assess reports of breaches. This would therefore lead to a situation where persons affected by data protection breaches arising in the courts would be deprived of legal protection.

If this judgment is left in force, it may lead to a situation in which courts do not report breaches of personal data protection to the President of the Office for Personal Data Protection or notify the persons affected by such breaches, as they incorrectly classify the events. Such problems are confirmed by the case in question. At the same time, it should be noted that the scope of data contained in the correspondence sent by the court exposes these persons to various types of damage, both of material (the risk of paying off other people's loans, receiving various types of benefits) and immaterial (stress, discrimination in the local environment) nature. At the same time, these individuals, deprived of information about the personal data breach, will not be able to take any remedial measures that would eliminate or at least reduce the risk of these damages. What is more, they will also be deprived of legal protection, as the President of the Personal Data Protection Office will not be able to intervene in their case by sending at least a letter to the court with a request to notify these persons of the personal data protection violation.

In summary, leaving such a judgment in force in the opinion of the President of the Personal Data Protection Office may lead to negative consequences for persons whose data are processed by courts and entities with which courts cooperate (e.g. a postal operator), in particular if left without adequate supervision.

II SA/Wa 252/24, dot. DKN.5131.42.2022

phone
Infoline (in Polish) UODO 606-950-000 Operates on weekdays from: 10:00-14:00
© UODO 2018 - 2025
Copyright.
Urząd Ochrony Danych Osobowych
map pin ul. Stawki 2, 00-193 Warszawa
envelope kancelaria@uodo.gov.pl
clock Working hours of the office: 8 a.m. – 4 p.m.
© UODO 2018 - 2025
Copyright.