The controller must have a basis for data processing

In case of obtaining data from a person about his or her health status, his or her explicit consent is necessary, confirmed the Voivodeship Administrative Court in Warsaw.

The court dismissed the complaint of the civil partnership Kancelaria PIONIER against the decision of the President of the Personal Data Protection Office imposing a fine of over PLN 45,000 on this controller for processing personal data without a legal basis.

In its activities, the company reached out to the affected persons, mainly persons injured in traffic accidents, in order to cooperate with them in representing them, inter alia, before insurance companies, in court cases in order to obtain compensation, damages and pensions in their favour, as well as reimbursement of treatment and rehabilitations costs.  It obtained information about potential clients from, inter alia, press releases, online publications, including content available on social media, as well as information provided or disseminated by charitable organisations. During the meeting, a representative of the Kancelaria PIONIER obtained verbal consent to processing of personal data pending the possible conclusion of a contract with these persons for the provision of services.

In the opinion of both the Voivodeship Administrative Court and the supervisory authority, consent obtained in this way did not comply with the GDPR and could not be the basis for the processing of personal data. The controller, when obtaining data on health status, should obtain explicit consent to processing of personal data. The Voivodeship Administrative Court pointed out that the company, on the other hand, only obtained verbal consents and did not record this in any way or record, e.g. in the form of audio recordings, the consents from the persons who gave them. The Court therefore ruled that the supervisory authority was correct in concluding that the case lacked unequivocal evidence that these persons had expressed their consent to the processing of their data.

The Voivodeship Administrative Court also indicated that the basis for data processing by the controller in this case could not be the premise indicating that the data processing is necessary for the performance of the contract (Article 6(1)(b)). The court pointed out that the evidence collected by the Personal Data Protection Office in the course of the inspection at the company showed that the collection of the data was not necessary for the performance of the contract, the persons from whom the data were collected were not yet customers. The data were processed for a different purpose, namely to investigate the viability of entering into a contract with a potential customer and possibly to re-establish contact with such a person.

The Voivodeship Administrative Court in Warsaw also rejected the complainant’s allegation that in the administrative proceedings the supervisory body failed to explain all the circumstances influencing the outcome of the case. In the Court’s opinion, the justification of the decision of the President of the Personal Data Protection Office includes an indication of facts significant for the resolution of the case which the authority considered as proven and evidence on which it based its decision.

The decision of the President of the Personal Data Protection Office in this case can be read at this link, and the justification of the judgement of the Voivodeship Administrative Court in this case ref. no. II SA/Wa 1861/23 is published below.