The Supreme Administrative Court of Poland has recently ruled that a school’s processing of children’s fingerprint data, for the purpose of identifying them at the canteen entrance and verifying their payment for the meals, did not violate the GDPR. The judgement offers persuasive, but controversial arguments for its conclusion that the school’s processing was in line with the data minimisation principle.
Background
A primary school in Poland collected children’s fingerprints at the entrance to the canteen, to identify them and verify payment for the meal on a given day. The school introduced the fingerprint system at the suggestion of the parents’ council, as the previous system, which relied on electronic cards, proved ineffective because children frequently lost or forgot their cards. The school only used this identification method for students whose parent or legal guardian had given written consent.
The Polish data protection authority (“UODO“) conducted proceedings ex officio and found, among other things, that the data processing was contrary to the principle of data minimisation. According to UODO, processing children’s biometric data was not necessary to achieve the purpose, and less intrusive means were available.
Two Polish courts have disagreed with UODO, but for different reasons.
- In 2020, after the school appealed UODO’s decision, the Provincial Administrative Court ruled in the school’s favour, finding that the processing was adequate, relevant, and limited to what is necessary, and therefore, compliant with the data minimisation principle.
- On 10 October 2024, the Supreme Administrative Court confirmed the first-instance court decision, although relying on different arguments. The Supreme Administrative Court argued that, where data processing is based on consent, compliance with the data minimisation principle should not be questioned at all, because generally, the controller cannot violate this principle in such cases.
Provincial Administrative Court: Data minimisation principle allows for processing a “slightly broader scope” of data than just the necessary minimum
The Provincial Administrative Court noted that, even if the data subject consented to data processing, consent does not abolish the controller from adhering to the principle of data minimisation. The Court then carried out an assessment of the school’s compliance with the data minimisation principle, reaching the conclusion, contrary to UODO’s findings, that there was no violation.
The Provincial Administrative Court characterised UODO’s interpretation of the data minimisation principle as “going too far”. In that interpretation, data minimisation requires limiting data to the necessary minimum, meaning that only data without which the purpose cannot be achieved may be processed.
The Provincial Administrative Court noted that data minimisation consists of three elements, requiring that personal data must be: a. adequate; b. relevant; and c. limited to what is necessary in relation to the purposes. The adequacy requirement involves assessing the usefulness of data processing, and allows for considering the circumstances that justify processing data that can significantly help to achieve the intended purposes. The Court pointed out that necessity (requirement c.) cannot be given priority at the expense of adequacy (requirement a.).
In the Court’s view, the correct interpretation of the data minimisation principle is as follows: personal data can be processed in “slightly broader scope” than just the necessary minimum, as long as the data are closely related to achieving the intended purpose, such as when the data facilitate the achievement of the purpose. The Court concluded that the school’s data processing complied with the data minimisation principle as interpreted in this manner.
Supreme Administrative Court: Where valid consent exists, the issue of data minimisation compliance does not arise
The Supreme Administrative Court found that there was no violation of the data minimisation principle. In the Court’s assessment, the parents’ consents met all the GDPR requirements for validity. The Court considered that, where data processing is carried out with valid consent, the issue of data minimisation compliance does not even arise – the principle is inherently implemented.
According to the decision, by consenting, a data subject accepts the relevant “parameters” of data processing: purpose, categories of personal data, volume of data, processing method, and retention period. The Court compared such consent to an “agreement” between the data subject and the controller. That agreement reflects the parties’ joint assessment that processing the data according to the agreed parameters is the best solution for achieving the purpose. The parties jointly formulate a subjective assessment that the processing aligns with the data minimisation principle. The Court noted that compliance with the principle cannot be questioned based on some objective or reasonable criteria that the consent allegedly does not meet – the principle of data minimisation is considered “fulfilled” by the person’s consent.
Comment
The reasoning of the Supreme Administrative Court differs from that of the European Data Protection Board (“EDPB“). As noted by the EDPB in the Guidelines 05/2020 on consent under Regulation 2016/679, “even if the processing of personal data is based on consent of the data subject, this would not legitimise collection of data, which is not necessary in relation to a specified purpose”, and “obtaining consent also does not negate or in any way diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR” (paragraph 5).
It can be observed, more generally, that the courts in the EU member states are ready to interpret the provisions of the GDPR in a less strict way than the data protection authorities. Another recent example is the March 2024 Klarna AB decision by the Administrative Court of Appeal of Stockholm. The court held – contrary to the view of the Swedish data protection authority – that a privacy notice did not have to specify the countries to which the data controller (bank) has transferred the personal data, and the notice could lawfully state the data subject’s rights without explaining their meaning. Data controllers may want to pay closer attention to this tendency, as they may hope to find in courts an audience willing to fully consider the practicalities of day-to-day business and data processing activities.
