Using someone else's name in an e-forum post could result in a fine. A landmark ruling

Can online activity and the publication of other people's data in a discussion on a social networking site, even a closed one, land you in legal trouble? It turns out that it does. This is confirmed by a landmark ruling of the Supreme Administrative Court (NSA) regarding GDPR.

He revealed the name of the mayor's wife and her Covid-19 vaccination code. Does this violate GDPR?

The dispute was initiated by a complaint about a violation of personal data protection regulations. In November 2021, a woman alerted the Personal Data Protection Office (UODO) that a Facebook user had been publishing a post for a month in a group with over 6,100 members, unlawfully revealing her name and surname in connection with her medical data – with a QR code confirming vaccination. The woman demanded an order to delete the information and punish the perpetrator.

The President of the Personal Data Protection Office (UODO) took the issue seriously and requested an explanation. The man provided one but pleaded not guilty. In his opinion, he had not processed any personal data. He explained that he had obtained the original QR code for the Covid-19 vaccination from the publicly available website of the mayor—who was privately the woman's husband.

The man read it for personal reasons, as a voter and resident, curious whether the mayor, a public figure, had published his code to confirm his vaccination. After scanning it using a free app recommended by the Ministry of Health, it turned out that the certificate was not issued in the mayor's name. Then, acting in the public interest and in good faith, he decided to make it public in a way that would be impossible to read in an online discussion.

Administrative courts: data on someone else's health was disclosed

However, the President of the Personal Data Protection Office (UODO) did not back down. He found that the case violated the GDPR and issued a warning for processing personal data without a legal basis. Officials determined that the complainant had consented to the publication of a photo of her certificate on her husband's blog, but without any personal data. It was intended as an example. The President of the UODO noted that information that can be obtained using a certificate scanner meets the definition of personal data, including sensitive data.

The reprimanded individual refused to accept this turn of events. He appealed to the court but lost. Initially, the Provincial Administrative Court (WSA) in Warsaw ruled against him. It had no doubt that the case involved the processing (disclosure) of personal data, including health information, without a legal basis.

Ultimately, the man's defeat was sealed by the Supreme Administrative Court. He was not convinced by the argument that the disputed activities were "purely personal or household in nature," to which the GDPR does not apply.

There is no private use on a closed forum on FB

According to the Supreme Administrative Court, the publication of personal data on Facebook's private social media platforms does not constitute the processing of personal data by an individual for a purely personal or household purpose. This applies to situations where the person publishing personal data is not the administrator of the community in question, does not personally select its participants, but merely joins it. Other group members do not have the authority to submit a binding objection to their application to join the community.

The Supreme Administrative Court emphasized that creating an account on a social networking site, sending notifications to others, or joining a specific social networking group does not constitute a declaration of intent to an unspecified group of users regarding further data processing. This also applies to the processing of personal data within closed social networking groups, i.e., the processing of data posted by a single user on their account. The judgment is final.

file reference number: III OSK 1101/24