NSA - III OSK 2508/25

Summary

A Polish mayor unlawfully processed personal data by accessing a former IT specialist's Facebook account on a work computer. The mayor used private conversations to initiate disciplinary and criminal proceedings, leading to a reprimand from the Data Protection Authority for violating GDPR articles related to lawful processing and special categories of data. The court ruled against the mayor's actions, highlighting the lack of a legal basis for processing the data, which included information about the data subject's religion.

Full text

Help NSA - III OSK 2508/25: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 13:07, 22 June 2026 view sourceAv (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators33 editsTag: Visual edit← Older edit Latest revision as of 13:33, 22 June 2026 view source Av (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators33 editsm Tag: Visual edit Line 67: Line 67: === Facts ====== Facts === The data subject had previously worked as an IT specialist of a city. In May 2019, the work computer was supposed to be handed over to another employee. The data subject had remained logged into his personal account on Facebook that contained conversations between him and other employees of the city. The employee responsible for handing over the computer printed out the conversations and gave them to the mayor (the controller), who used them to initiate disciplinary and criminal proceedings against the employees.The data subject had previously worked as an IT specialist of a city. In May 2019, his work computer was supposed to be handed over to another employee. The data subject had remained logged into his personal account on Facebook that contained conversations between him and other employees of the city. The employee responsible for handing over the computer printed out the conversations and gave them to the mayor (the controller), who used them to initiate disciplinary and criminal proceedings against the employees. The data subject filed a complaint with the supervisory authority regarding the processing of his personal data contained in the Facebook conversations. The DPA issued the controller a reprimand for violations of Articles [[Article 5 GDPR|5(1)(a)]], [[Article 5 GDPR|5(1)(b)]], [[Article 6 GDPR|6(1)]], and [[Article 9 GDPR|9(1)]] GDPR in September 2020. According to the DPA, there had been no legal basis for the processing of personal data that also included information about the data subject’s religion. The data subject filed a complaint with the supervisory authority regarding the processing of his personal data contained in the Facebook conversations. The DPA issued the controller a reprimand for violations of Articles [[Article 5 GDPR|5(1)(a)]], [[Article 5 GDPR|5(1)(b)]], [[Article 6 GDPR|6(1)]], and [[Article 9 GDPR|9(1)]] GDPR in September 2020. According to the DPA, there had been no legal basis for the processing of personal data that also included information about the data subject’s religion. Latest revision as of 13:33, 22 June 2026 NSA - III OSK 2508/25 Court: NSA (Poland) Jurisdiction: Poland Relevant Law: Article 4(1) GDPR Article 4(2) GDPR Decided: 28.05.2026 Published: 16.06.2026 Parties: National Case Number/Name: III OSK 2508/25 European Case Law Identifier: Appeal from: WSA WarsawII SA/Wa 121/25 Appeal to: Unknown Original Language(s): Polish Original Source: Centralna Baza Orzeczeń Sądów Administracyjnych (in Polish) Initial Contributor: av The Supreme Administrative Court held that a mayor of a city had unlawfully processed personal data by logging into a former employee’s personal Facebook account and using the contents of private conversations to initiate criminal proceedings against him. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The data subject had previously worked as an IT specialist of a city. In May 2019, his work computer was supposed to be handed over to another employee. The data subject had remained logged into his personal account on Facebook that contained conversations between him and other employees of the city. The employee responsible for handing over the computer printed out the conversations and gave them to the mayor (the controller), who used them to initiate disciplinary and criminal proceedings against the employees. The data subject filed a complaint with the supervisory authority regarding the processing of his personal data contained in the Facebook conversations. The DPA issued the controller a reprimand for violations of Articles 5(1)(a), 5(1)(b), 6(1), and 9(1) GDPR in September 2020. According to the DPA, there had been no legal basis for the processing of personal data that also included information about the data subject’s religion. The controller appealed the decision. The court of first instance held the case concerned the secrecy of correspondence instead of data protection and annulled the DPA decision in 2021. The Supreme Administrative Court overturned this decision in 2025 and referred the case to the court of first instance for re-examination. This time, the court of first instance dismissed the appeal and deemed the DPA decision correct. The controller appealed further to the Supreme Administrative court, arguing that he had not processed personal data. Holding The Supreme Administrative Court dismissed the controller’s appeal as unfounded. In the court’s view, the data subject’s login credentials, profile information and information in the Facebook conversations clearly constituted personal data within the meaning of Article 4(1) GDPR: logging in allowed access to the profile of a specific natural person and therefore identified them. Second, the court held that the controller had undeniably processed personal data pursuant to Article 4(2) GDPR. The controller could view, collect, download, print out, and use personal data of the data subject and other individuals after using the login credentials to access his Facebook account. In addition, the controller had further processed the personal data by using the content of private Facebook conversations in paper form. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details. Judgment Date 2026-05-28 Final Judgment Date of Receipt 2025-12-22 Court Supreme Administrative Court Judges Maciej Kobak /rapporteur/ Mirosław Wincenciak /chairman/ Przemysław Szustakiewicz Symbol with description 647 Cases related to personal data protection Thematic entries Access to public information Related references II SA/Wa 121/25 - Judgment of the Regional Administrative Court in Warsaw of 2025-08-27 Accused Authority Inspector General for Personal Data Protection Content of the Result Caslation appeal dismissed Referenced provisions Journal of Laws 2026, item 143, art. 184 Act of August 30, 2002, the Code of Administrative Court Procedure Summary The Supreme Administrative Court, composed of: Presiding Judge: Mirosław Wincenciak, Judge of the Supreme Administrative Court; Judges: Przemysław Szustakiewicz, Judge of the Provincial Administrative Court; Maciej Kobak (rapporteur); Clerk of the Court: Assistant Judge Marita Sukiennik-Sikora, having considered on May 28, 2026, at the hearing in the General Administrative Chamber, the cassation appeal of the City and Commune of O. against the judgment of the Provincial Administrative Court in Warsaw of August 27, 2025, file ref. Case No. II SA/Wa 121/25, regarding the complaint of the City and Commune of O. against the decision of the President of the Personal Data Protection Office of September 22, 2020, No. ZSZZS.440.392.2019.ZS.JM, regarding the issuance of a warning. I. dismisses the cassation appeal; II. awards the City and Commune of O. the amount of PLN 360 (three hundred sixty) from the City and Commune of O. to the President of the Personal Data Protection Office as reimbursement of the costs of the cassation proceedings. Justification By its judgment of August 27, 2025 (II SA/Wa 121/25), the Provincial Administrative Court in Warsaw, pursuant to Article 151 of the Act of August 30, 2002 - The Code of Administrative Court Procedure (Journal of Laws of 2024, item 935, as amended; her

Entities