Personal data protection, case I OSK 633/08

March 11th, 2010, Tomasz Rychlicki

The Supreme Administrative Court in its judgment of 3 July 2009 case file I OSK 633/08 held that the processing/storage/retention of personal data in backup copies of bank’s IT system is nothing but the processing of these data, and such processing is possible only in all cases defined by the provisions of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with subsequent amendments. In case, where the credit agreement was not concluded, the processing of personal data in backup copies has no justification in the provisions of the PPD and there is no such situation as referred in Article 26 of the PPD.

Article 26
1. The controller performing the processing of data should protect the interests of data subjects with due care, and in particular to ensure that:
1) the data are processed lawfully,
2) the data are collected for specified and legitimate purposes and no further processed in a way incompatible with the intended purposes, subject to the provisions of paragraph 2 below,
3) the data are relevant and adequate to the purposes for which they are processed,
4) the data are kept in a form which permits identification of the data subjects no longer than it is necessary for the purposes for which they are processed.
2. The processing of data, for the purpose other than intended at the time of data collection is allowed provided that it does not violate the rights and freedoms of the data subject and is done:
1) for the purposes of scientific, didactic, historical or statistical research,
2) subject to the provisions of Article 23 and Article 25.

The SAC also ruled that such processing is also not justified by the provisions of the Act on Banks Law.

See also “Polish regulations on personal data protection” and “Polish case law on personal data protection“.