Personal data protection, case I OSK 1827/11

August 29th, 2012, Tomasz Rychlicki

The Inspector General for Personal Data Protection (GIODO) in its decision of 24 September 2010, no. DIS/DEC-1134/38146/10 ordered the Polish company Info Veriti Polska Sp. z o.o. Obsługa Serwisu Internetowego Sp.J., the publisher of online database of Polish entrepreneurs, to inform the individuals whose data that were publicly available in sources such as Court’s Monitor and Economic Monitor and which have been collected and preserved by the Company, according to the information requirement referred to in Article 25(1) of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with subsequent amendments, within 3 months from the date on which this decision becomes final.

1. In case where the data have not been obtained from the data subject, the controller is obliged to provide the data subject, immediately after the recording of his/her personal data, with the following information:
1) the address of its seat and its full name, and in case the controller is a natural person about the address of his/her residence and his/her full name,
2) the purpose and the scope of data collection, and in particular, about the data recipients or categories of recipients,
3) the source of data,
4) the existence of the data subject’s right of access to his/her data and the right to rectify these data,
5) the powers resulting from Article 32 paragraph 1 point 7 and 8.

Furthermore, the GIODO ordered the Company to register the collection of personal data of customers (owners of e-mail addresses) within 30 days from the date on which the decision becomes final, to allow users of website to freely consent to the processing of their personal data for marketing purposes within 30 days from the date on which this decision becomes final, to create documentation establishing security policy and the intruction for management of IT system that used to process personal data, within 30 days from the date on which this decision becomes final, to grant the authorization to the processing of personal data to persons who are allowed to process personal data within 14 days from the date on which this decision becomes final, and to create a record of persons authorized to process personal data within 14 days from the date on which this decision becomes final. Info Veriti argued that the provisions of Article 25(1) of the PPO should not apply in its case because the provision of other law provides and allows for personal data collection without the need to notify the data subject. Such allowance happens in the case of laws that introduced a formal disclosure of public registers, that include records containing personal information. The formal disclosure of a registry means the right of everyone to access data in the register, without the need to show the legal or factual interest. Due to the widespread legitimacy in terms of access to recorded data, a person obtaining information from the register is not in any way identified during data acquisition. The Laws relating to public records and registers, also do not require explicit registration of the collected data, and there is no knowledge of the registration body of when and to whom the data were disclosed. Moreover, some registration authorities, on the basis of generally formulated principles of transparency, put the data from public records for public networks such as the Internet, which makes impossible to control access of who accessed such register. The GIODO noted that the PPD does not prohibit the creation of separate collections based on data from sources generally available, however, it does not mean that such collections are not subject to the provisions of the PPD. The Company receives data from the National Court Register in order to create a separate database, which uses for its own commercial purposes. In this way, Info Veriti Polska becomes the administrator of the collected data, therefore, as the controller, it is obliged to information requirements. The right of individuals to keep information regarding their situation and status in private, is constitutionally guaranteed, and may be restricted exclusively by laws that have the statutory rank (only Acts). The Act on the National Court Register (KRS) is just such an act. In this case, the record of a natural person entered to the KRS is publicly available, because such Register was created to ensure the transparency of the economic market in Poland. The persons referred to in the Act on the National Court Register, are therefore required to provide their data for inclusion in the register and they must also reckon with the disclosure. This does not mean, however, that they must agree to the use of their data for purposes other than the generally speaking, transparency of economic activity. However, the data controller that processes personal data should provide due care in order to protect the interests of the persons whose data were collected and in particular to ensure that the data were collected for specified and legitimate purposes and are not further processed in a way incompatible with those purposes. The GIODO also noted that the list of situations that allow for waive the requirement to provide information, referred to in 25(1) of the PPD has changed as a result of amendments to the Act that were made in 2004. The provision of Article 25(2) pt 2 that allowed to waive the abovementioned obligation in a situation where the data provided for collection are generally available, was repealed. For these reasons, it was obvious that the intention of the legislature was to require data controllers who collect data “generally available” to completing the duties arising out of the provision of Article 25(1) of the PPD.

The company filed a complaint to the Voivodeship Administrative Court in Warsaw against the decisions issued by the GIODO. Info Veriti requested the Court to decide on the invalidity, or their repeal, in addition, the Company has applied for stay of the execution of the contested decisions and the order to return the costs of proceedings. Infor Veirit claimed that the processed data is very limited, restricted to surname, the national identification number (PESEL), date of birth and functions performed in the entities disclosed in the KRS. Therefore, it is impossible to provide information to persons whose data are processed, because some of them have historical character. These are people who in the past served specific functions. The data administrator is not able to provide such individuals with the required information. The data controller does not process data allowing for direct contact with a person (e.g. home address), and sending information to the address of the entity (e.g. companies created according to the provisions of the Polish Code of Commercial Companies), which in the past served a given function, can not be considered for the execution of the decision. In order to comply with the decision, Info Veriti would need to gather additional categories of data to make contact and send the required information. However, such an obligation should clearly expressed in the decision, which has not happened. The Company has no legal basis for the acquisition of new categories of personal data. The deadline of three months that was ordered by the GIODO is unrealistic in order to collect the required contact data in relation to all of the data are included in the database. The Company noted that its database contains all the data entered in the National Court Register. The purpose of data entered in the National Court Register is closely related to business transactions, and the widespread availability of the registry should not be regarded as interference in the private sphere of the individual whose data is disclosed in the registry. There isn’t therefore a need to notify such persons regarding the process of collecting their personal data, as instruments of public-law on protection of personal data are treated as protection of the right to privacy. The person who serves or served in the bodies of commercial companies must accept that the data will be in an open public record to which access will have anyone interested in business. The purpose of transparency and certainty of economic activity, according to the legislator, prevails over the protection of the name, surname, date of birth and the PESEL number of the persons who performed specific functions in the bodies that were entered into the KRS. Info Veriti also disagreed with the opinion of the GIODO, which opposes the existence and goals of the KRS and data collection of the Company, the latter being also created in order to provide the transparency of economic activity. Services provided by the Company are based on data from public records and explicitly relate to economic activity of specific individuals. Such commercial processing of data previously collected by public entities is allowed by EU law, such as Directive 2003/98/EC of the European Parliament and of the Council of 17 November 2003 on the re-use of public sector information. Information on such entities contributes to the establishment of the internal market and creates a system ensuring undisturbed competition in that market. It is also emphasized that public sector information is an important starting material for products and services related to digital content, and more opportunities to re-use this information should allow European companies to use their potential and contribute to economic growth and job creation. As “information services” of Info Veriti are based on data obtained from public records, they fit into the goals provided in the recitals of the Directive 2003/98/EC. According to Infor Veirit, the consequences of the position taken in the decisions of the GIODO, which implies obligation to provide information to any person that collects data from the National Court Register, if there are situations referred to in Article 2 (1-2) of the PPD, are also unacceptable.

Article 2
1. The Act shall determine the principles of personal data processing and the rights of natural persons whose personal data is or can be processed as a part of a data filing system.
2. The Act shall apply to the processing of personal data in:
1) files, indexes, books, lists and other registers,
2) computer systems, also in case where data are processed outside from a data filing system.

Such requirement would have to be commonly executed in the course of trade in relation to a number of activities related to the acquisition of data from the National Court Register. Given the widespread use of copies of the KRS, that are used for instance to identify the persons authorized to represent the company at the conclusion of the contract, such an interpretation would lead to economic paralysis, and certainly also to the irrational (excessive) financial costs, in the name of privacy protection, which in the present case does not occur.

The Voivodeship Administrative Court in its judgment of 2 June 2011 case file II SA/Wa 720/11 dismissed the complaint. The Court held that the Polish legislator afforded the citizen’s right to privacy in Articles 47, 49 and 51 of the Constitution. This also includes the protection of personal data and privacy against excessive interference by others. The provision of Article 47 of the Constitution sets out the principle of the protection of private life, Article 49 provides for the protection of the correspondence, while the provision of Article 51 states that no one shall be obliged, except under the Act to disclose information concerning his person, a public authority may not acquire, collect and share information on citizens other than those necessary in a democratic state ruled by law, everyone has the right of access to official documents and it datasets. Limitation of this right may be established by statute (act), and to anyone has the right to request the correction or deletion of information incorrect, incomplete, or collected in a manner inconsistent with the Act. These regulations are expanded in the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with subsequent amendments, which in turn refers to the solutions contained in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. These instruments created a basic framework for data protection in the Republic of Poland. The PPD created statutory principle of the protection of personal data. In accordance with Article 1 of the PPD, any person has a right to have his/her personal data protected. The processing of personal data can be carried out in the public interest, the interest of the data subject, or the interest of any third party, within the scope and subject to the procedure provided for by the Act. The protection of personal data is a fundamental right of citizens in a democratic state of law. Protection of personal data is closely connected with the protection of private life and, therefore, it determines the freedom of the citizen. The right to protection of personal data, however, is not absolute and it is limited in the interests of the public or justified interests of others. However, since it is a citizen’s right, that determines a person’s sense of freedom, the exceptions allowing for the collection and use of personal data should be subject to strict interpretation. The legislature guided by the values of protection of constitutional rights cannot allow for a situation in which the law by the wider interpretation of the provisions relating to the processing of personal data, is violated. The provisions of the Act on the National Court Register lay down the rules of registration and the rules of disclosure of data. Such data are available electronically by the Central Information of the KRS or by viewing the register files in the appropriate departments of the Polish courts. These data are made available to any interested person, for the purposes of certainty of economic activity. The persons who undertakes an activity that is to be entered into the KRS, knows that the data is maintained by the State in the registry and data will be used only on the basis of the provisions relating to the functioning of the registry. Meanwhile, Info Veriti collects personal data and information disclosed in the register, such as surname, the PESEL number into its own database, in which data are processed. Data and information from the KRS are not intended for this purpose, and the people who share their personal information do not accept the fact that their personal data had been placed in another private database. When entrepreneurs decide to place their data into the KRS, they also have confidence that such data will be disclosed and used only in a manner permitted by the Act on the National Court Register. The legislature cannot allow for the situation that the protection of personal data contained in the KRS will not be limited to entities that wish to use the data for other purposes, and in a different way than permitted by the Act on the National Court Register. At this time, it would lead to a situation in which data from KRS could be used in an unrestricted way, against the will of the people entered into the register, for instance, in order to create a database for the marketing campaign. The court did not agree with the argument that the contested decision is contrary to the provisions of Directive 2003/98/EC. According to the court, the Directive does not apply directly to the Polish law, as EU directives are implemented into the law of a Member State and only then enter into force in the legal system. This Directive is not implemented to the Polish law, and Poland still works on the implementation. The court held that the contested decision is enforceable. Info Veriti builds its own database and has data that allow the Company to perform the information requirement to those who are in the database. It is possible because there are surnames and PESEL numbers of individuals, and businesses headquarters, where they perform given functions. Moreover, Info Veriti may use the services of the Central Bureau of Domiciliary. The fact that it is a big organizational task and it involves a large number of people does not mean that it is not feasible. By building a large database the Company had to be aware that in relation to the number of people it will have specific obligations according to the provisions of the PPD. Info Veriti filed a requested to stay the execution of the decisions.

The Supreme Administrative Court in its order of 30 September 2011 case file I OSK 1827/11 decided to stay the execution of both decisions.