NSA - III OSK 2508/25

Summary

Poland's Supreme Administrative Court has ruled that a city mayor unlawfully processed personal data by accessing a former employee's Facebook account. The mayor used private conversations from the account, accessed via the employee's work computer, to initiate disciplinary and criminal proceedings. The court affirmed that login credentials, profile information, and conversation content constitute personal data under GDPR.

Full text

Help NSA - III OSK 2508/25: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 13:05, 22 June 2026 view source Av (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators33 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 13:05, 22 June 2026 NSA - III OSK 2508/25 Court: NSA (Poland) Jurisdiction: Poland Relevant Law: Article 4(1) GDPR Article 4(2) GDPR Decided: 28.05.2026 Published: 16.06.2026 Parties: National Case Number/Name: III OSK 2508/25 European Case Law Identifier: Appeal from: WSA WarsawII SA/Wa 121/25 Appeal to: Unknown Original Language(s): Polish Original Source: Centralna Baza Orzeczeń Sądów Administracyjnych (in Polish) Initial Contributor: av The Supreme Administrative Court held that a mayor of a city had unlawfully processed personal data by logging into a former employee’s personal Facebook account and using the contents of private conversations to initiate criminal proceedings against him. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The data subject had previously worked as an IT specialist of a city. In May 2019, the work computer was supposed to be handed over to another employee. The data subject had remained logged into his personal account on Facebook that contained conversations between him and other employees of the city. The employee responsible for handing over the computer printed out the conversations and gave them to the mayor (the controller), who used them to initiate disciplinary and criminal proceedings against the employees. The data subject filed a complaint with the supervisory authority regarding the processing of his personal data contained in the Facebook conversations. The DPA issued the controller a reprimand for violations of Articles 5(1)(a), 5(1)(b), 6(1), and 9(1) GDPR in September 2020. According to the DPA, there had been no legal basis for the processing of personal data that also included information about the data subject’s religion. The controller appealed the decision. The court of first instance held the case concerned the secrecy of correspondence instead of data protection and annulled the DPA decision in 2021. The Supreme Administrative Court overturned this decision in 2025 and referred the case to the court of first instance for re-examination. This time, the court of first instance dismissed the appeal and deemed the DPA decision correct. The controller appealed further to the Supreme Administrative court, arguing that he had not processed personal data. Holding The Supreme Administrative Court dismissed the controller’s appeal as unfounded. In the court’s view, the data subject’s login credentials, profile information and information in the Facebook conversations clearly constituted personal data within the meaning of Article 4(1) GDPR: logging in allowed access to the profile of a specific natural person and therefore identified them. Second, the court held that the controller had undeniably processed personal data pursuant to Article 4(2) GDPR. The controller could view, collect, download, print out, and use personal data of the data subject and other individuals after using the login credentials to access his Facebook account. In addition, the controller had further processed the personal data by using the content of private Facebook conversations in paper form. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details. Judgment Date 2026-05-28 Final Judgment Date of Receipt 2025-12-22 Court Supreme Administrative Court Judges Maciej Kobak /rapporteur/ Mirosław Wincenciak /chairman/ Przemysław Szustakiewicz Symbol with description 647 Cases related to personal data protection Thematic entries Access to public information Related references II SA/Wa 121/25 - Judgment of the Regional Administrative Court in Warsaw of 2025-08-27 Accused Authority Inspector General for Personal Data Protection Content of the Result Caslation appeal dismissed Referenced provisions Journal of Laws 2026, item 143, art. 184 Act of August 30, 2002, the Code of Administrative Court Procedure Summary The Supreme Administrative Court, composed of: Presiding Judge: Mirosław Wincenciak, Judge of the Supreme Administrative Court; Judges: Przemysław Szustakiewicz, Judge of the Provincial Administrative Court; Maciej Kobak (rapporteur); Clerk of the Court: Assistant Judge Marita Sukiennik-Sikora, having considered on May 28, 2026, at the hearing in the General Administrative Chamber, the cassation appeal of the City and Commune of O. against the judgment of the Provincial Administrative Court in Warsaw of August 27, 2025, file ref. Case No. II SA/Wa 121/25, regarding the complaint of the City and Commune of O. against the decision of the President of the Personal Data Protection Office of September 22, 2020, No. ZSZZS.440.392.2019.ZS.JM, regarding the issuance of a warning. I. dismisses the cassation appeal; II. awards the City and Commune of O. the amount of PLN 360 (three hundred sixty) from the City and Commune of O. to the President of the Personal Data Protection Office as reimbursement of the costs of the cassation proceedings. Justification By its judgment of August 27, 2025 (II SA/Wa 121/25), the Provincial Administrative Court in Warsaw, pursuant to Article 151 of the Act of August 30, 2002 - The Code of Administrative Court Procedure (Journal of Laws of 2024, item 935, as amended; hereinafter also referred to as "p.p.s.a.") dismissed the complaint of the City and Commune of O. against the decision of the President of the Personal Data Protection Office (hereinafter also referred to as the "President of the Personal Data Protection Office") of September 22, 2020, regarding the issuance of a warning. This decision was issued based on the following circumstances of the case. As a result of R. S.'s complaint (hereinafter also referred to as the "participant") regarding the processing of his personal data by the Mayor of the City and Commune of O. (hereinafter also referred to as the "Mayor"), regarding his Facebook login details and data associated with his profile on that website, administrative proceedings were initiated by the President of the Personal Data Protection Office, who, by decision of September 22, 2020, issued pursuant to Art. Pursuant to Article 104 § 1 of the Act of 14 June 1960 – the Code of Administrative Procedure, and Article 5 paragraph 1 letter a, Article 6 paragraph 1, Article 9 paragraph 2, and Article 58 paragraph 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ EU, L 119, 4 May 2016; hereinafter also referred to as the "GDPR"), the Mayor was issued a warning in point 1 for the violation of Article 5 paragraph 1, Article 6 paragraph 1, and Article 9 paragraph 1 of the GDPR, consisting in the unjustified acquisition of the participant's personal data contained in correspondence conducted by him via the social networking site Facebook; in point 2, however, he refused to grant the request in the remaining respects. During the course of the administrative proceedings, it was determined that: - the participant was employed at the City and Commune Office in O. (hereinafter also referred to as the "Office") as an IT specialist. On December 31, 2018, his employment contract was terminated with a three-month notice period. He was entrusted with a computer to perform his duties and was required to return it by January 3, 2019. - the participant failed to delete the bookmark and password s

Entities