Supreme Administrative Court agrees with the President of the Personal Data Protection Office
The case was initiated by a complaint from a bus passenger that the driver demanded his name out loud. It was not enough for her/him to show an electronic ticket. In this way, the passenger's data became known to other people on the bus, and there was no basis for this.
The President of the Personal Data Protection Office investigated the case and found that the bus operator collected passengers' personal data when selling them tickets online. The driver then checked the passenger's details against this inventory. The President of the Personal Data Protection Office issued a reprimand to the company that this way of proceeding was not appropriate and breached the provisions of GDPR. More specifically, its Articles 5(1)(f) and 6(1)(b).
The company appealed this decision to the Voivodeship Administrative Court and won: the court overturned the decision of the President of the Personal Data Protection Office, holding that the latter had no grounds for intervention, as giving one's name when buying a ticket and then introducing oneself aloud on the bus is not the processing of personal data within the meaning of the GDPR.
The Voivodeship Administrative Court stated that ‘an event was cited which did not concern the public disclosure of a specific set of personal data (the list of passengers for a specific course could be considered as such), but the use of the name and surname of a specific passenger for the identification of a person, entitled to travel (ticket purchaser). [...] The processing of the data in this case (their possible disclosure) is not covered by the rules of the GDPR, determining the framework of the competence to settle cases administratively. [...] The incompetence of the authority (or the obvious lack of legal interest of the concerned Applicant), is a premise for the refusal to initiate proceedings’.
Therefore, if a passenger believes that introducing himself or herself aloud on the bus breaches his or her right to privacy, he or she can bring a civil case against the carrier - however, the President of the Personal Data Protection Office cannot intervene here.
The President of the Personal Data Protection Office did not agree with this argumentation. In his cassation appeal, he stated that both the GDPR and the Polish Act on the Protection of Personal Data stipulate that it is him, as the data protection supervisory authority, who conducts the data breach proceedings. Thus, the President of the Personal Data Protection Office had not only the right, but also the obligation to deal with the passenger's complaint. And he fulfilled this obligation. In this case, it is also irrelevant that the personal data were processed in a non-automated manner - by the driver. They were processed by him and disclosed to unauthorised persons.
Here, the Supreme Administrative Court agreed with the President of the Personal Data Protection Office: the interpretation of the provisions on personal data protection applied by the Voivodeship Administrative Court is incorrect. First and last name are personal data that identify a person, and in the case indicated, they were processed within a data filing system. The company (data controller) created it by collecting data from customers when they purchased tickets online. If the driver checked them using this data filing system, he, as a representative of the controller, processed and disclosed them. Consequently, the legality of such disclosure should be assessed by the President of the Personal Data Protection Office, in connection with the complaint received by him.
Voivodeship Administrative Court: ref. no. II SA/Wa 1801/20
III OSK 6134/21 of 11 February 2025.
ZSPR.440.941.2019