The Supreme Administrative Court (NSA) has overturned the decision of the President of the PDPO imposed on the Morele.net shop as a result of a customer data leak. The NSA’s overturning of the decision was based on several key arguments:
Lack of expert evidence
Morele.net demanded expert evidence, but the Provincial Administrative Court (WSA) ignored this, assuming that the President of the PDPO had sufficient evidence. The NSA indicated that in such a precedent-setting case, involving the processing of data of more than 2 million people, a more objective assessment of Morele.net’s measures was warranted.
Lack of right to an effective defence
The penalty proceedings are sanction and single-instance proceedings. The NSA held that the proceedings should therefore take place as impartially as possible and that the omission of a party’s evidentiary submissions on relevant facts constitutes a violation of the principle of active participation of the party in the proceedings.
Lax justification
The NSA also agreed with Morele.net’s other allegation regarding the arbitrary assessment of evidence. The NSA stated in its decision that “the complexity of the case does not exceed the scope of knowledge within the authority’s competence”. The NSA did not believe this and held that in a case involving such a severe penalty, there should be no doubt as to the correctness of the findings made. Merely asserting that the PDPO knew what it was doing is too vague.
In conclusion, the overturning of the Morele.net decision shows that the value of evidentiary research, objectivity and the right to an effective defence are crucial in such cases. The judgment of the NSA also serves as a reminder of the need to constantly monitor threats and adapt to the data security situation. Although the decision in this case was overturned, this does not mean that the PDPO penalties are always overturned – courts often agree with the PDPO decisions. This is a reminder that ensuring compliance with the GDPR is an ongoing process.