Personal data protection, case II SA/Wa 1085/04

February 11th, 2010, Tomasz Rychlicki

In July 2003, the Inspector General for Personal Data Protection (GIODO) received a complaint in which a natural person, known as W.K. (personal data of the parties are removed from Polish courts’ judgments), requested the GIODO to issue an order to the Polish Internet company to reveal personal data of persons, against which the applicant wanted to initiate legal proceedings. The complaint showed that the online forum operated by the Internet company hosted defamatory content posted by persons using only nicknames.

W.K. proved that he had requested the Company to disclose full IP addresses of computers from which persons using only nicknames have sent messages to the online forum. The applicant also pointed out that the Regional Prosecutor’s Office refused to determine the perpetrators of the alleged defamation. The refusal was also upheld by the District Prosecutor’s Office.

W.K. pointed out that he brought a private accusation based on article 212 § 1 of the Criminal Code – CRC – (in Polish: Kodeks Karny) of 6 June 1997, Journal of Laws (Dziennik Ustaw) No 88, item 553, with later amendments, to the Regional Court in K., against the persons who used given nicknames. The Court has issued an order in which it considered the private accusation legally ineffective because it included error in the form – i.e., no indication of names of defendants and their addresses, and W.K. did not clear these errors.

The GIODO has found that the purpose for which W.K. has applied for, i.e. the access to personal data, to assert his rights before the court, is legally justified. The use of these data by the applicant in the proceedings could not be considered as a violation of the rights and freedoms of persons whos personal data was collected because after the initiation of criminal or civil proceedings, personal data would be in a disposition the court.

The Company filed a complaint to the Voivodeship Administrative Court (VAC) in Warsaw. The Court in a judgment of 9 February 2005, case file II SA/Wa 1085/04, annulled the contested decision. The VAC held that the complaint was based on article 23(1) pt. 5 of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), Journal of Laws (Dziennik Ustaw) of 29 October 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with later amendments.

1. The processing of data is permitted only if:
5) processing is necessary for the purpose of the legitimate interests pursued by the controllers or data recipients, provided that the processing does not violate the rights and freedoms of the data subject.

The court did not accept that the wording of this provision can be interpreted as a rule requiring a data controller to reveal personal data at the request of the person whose requested data does not concern. The basis for such claims available for third parties for purposes other than inclusion in the data collection, was provided in the article 29(1) and (2) of the PPD. This provision being in force until 1 May 2004, did not give rise to demand release of the data, if the controller/administrator of the data were private sector.

The Court also held that the imposition of the duty of the data controller can only be done when the information being available to the controller falls into the category of personal data as defined in article 6(1) of the PPD.

personal data shall mean any information relating to an identified or identifiable natural person.

The requested information related to IP addresses of computers from which the messages were posted by certain people using certain nicknames. The Company argued that it does not require users of its forum to identify themselves in order to post information, what causes that, the IT administration system of the portal website hosting different forums, registers only IP address of computers of persons using the system, and it does not produce other data for identifying the user of a forum. Only a request to the operator of the telecommunication network could lead to the identification of the computer which was connected to the server hosting the portal and its forums. The Court cited English and Polish comentators and found that information, that without extraordinary and disproportionate effort can be “linked” with a specific person, especially by using readily and widely available sources, also deserve credit for their category of personal data. The identifiable person is defined in article 6(2) of the Polish Act of August 29, 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), Journal of Laws (Dziennik Ustaw) of October 29, 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of July 6, 2002, No. 101, item 926, with later amendments.

2. An identifiable person is the one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.
3. A piece of information shall not be regarded as identifying where the identification requires an unreasonable amount of time, cost and manpower.

See also “Polish regulations on personal data protection” and “Polish case law on personal data protection“.