Jerzy S. requested the Inspector General for Personal Data Protection (GIODO) to issue a decision that would order Agora S.A., the owner of gazeta.pl website, to disclose IP addresses of a user, who under the nickname Marco wrote negative and defamatory comments regarding a sport article, that Jerzy S. published on gazeta.pl. This way Jerzy S. wanted to know real the name of Marco, in order to sue him or her for the infringement of personal rights based on the provisions of the Polish Civil Code. Jerze S. requested Agora to disclose such information, but the Company refused and cited provisions of Article 18(6) of the Polish Act of 18 July 2002 on Providing Services by Electronic Means – PSEM – (in Polish: ustwa o świadczeniu usług droga elektroniczną), published in Journal of Laws (Dziennik Ustaw) No. 144, item. 1204 with subsequent amendments.

Article 18
1. The service provider may process the following personal data of the service recipient necessary for entering in, designing contents, amending or terminating legal relationship between them:
1) service recipient’s surname and names ,
2) his/her PESEL number (Personal Identification Number),
3) his/her permanent residence address,
4) his/her address for correspondence, if it is different than the address referred to in point 3,
5) data used for verifying the service recipient’s electronic signature,
6) service recipient’s electronic addresses .
2. In order to effect contracts or other legal activity having been concluded with a service recipient, a service provider may process other data necessary due to nature (characteristics) of the service provided or way of its billing.
3. The service provider distinguishes and marks those data from among the data referred to in paragraph 2, as such being necessary for providing services by electronic means in accordance with art. 22 paragraph 1.
4. The service provider may process, upon consent of s service recipient and for the purposes set forth in art. 19 paragraph 2 point 2, other data concerning the service recipient, which are not necessary for providing service by electronic means.
5. The service provider may process the following data describing the way of using the service provided by electronic means by a service recipient (traffic data):
1) denotations identifying the service recipient assigned on the basis of the data referred to in paragraph 1,
2) denotations identifying the telecommunication network terminal or a teleinformation system, which have been used by a service recipient,
3) information about commencement, termination and a range of every usage of the service provided by electronic means,
4) information about using of the service provided by electronic means by a service recipient.
6. The service provider provides the information on data referred to in paragraphs 1 – 5 to the state authorities for the needs of legal proceedings carried on by them.

The Company argued that it is obliged to provide such information only to the state authorities. However, the GIODO ordered Agora to disclose requested IP addresses. The Voivodeship Administrative Court in Warsaw in its order of 20 February 2013 case file II SA/Wa 153/13 suspended execution of the contested decision. The GIODO filed complaint against this order, but the Supreme Administrative Court in its order of 23 April 2013 I OZ 269/13 dismissed it.

The Voivodeship Administrative Court in Warsaw in its judgment of 17 June 2013 case file II SA/Wa 153/13 dismissed the compliant filed by AGORA. The Court ruled that in this case the condition established in Article 25(1)(v) of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with subsequent amendments, was met.

Article 25
1. In case where the data have not been obtained from the data subject, the controller is obliged to provide the data subject, immediately after the recording of his/her personal data, with the following information:
1) the address of its seat and its full name, and in case the controller is a natural person about the address of his/her residence and his/her full name,
2) the purpose and the scope of data collection, and in particular, about the data recipients or categories of recipients,
3) the source of data,
4) the existence of the data subject’s right of access to his/her data and the right to rectify these data,
5) the powers resulting from Article 32 paragraph 1 point 7 and 8.

Article 32
1. The data subject has a right to control the processing of his/her personal data contained in the filing systems, and in particular he/she has the right to:
1) obtain extensive information on whether such system exists and to establish the controller’s identity, the address of its seat and its full name, and in case the controller is a natural person to obtain his/her address and his/her full name,
2) obtain information as to the purpose, scope, and the means of processing of the data contained in the system,
3) obtain information since when his/her personal data are being processed and communication to him/her in an intelligible form of the content of the data,
4) obtain information as to the source of his/her personal data, unless the controller is obliged to keep it confidential as a state, trade or professional secrecy,
5) obtain information about the means in which the data are disclosed, and in particular about the recipients or categories of recipients of the data,
5a) obtain information about the prerequisites of taking the decision referred to in Article 26a paragraph 2,
6) demand the data to be completed, updated, rectified, temporally or permanently suspended or erased, in case they are not complete, outdated, untrue or collected with the violation of the act, or in case they are no longer required for the purpose for which they have been collected,
7) make a justified demand in writing, in cases referred to in Article 23 paragraph 1 point 4 and 5, for the blocking of the processing of his/her data, due to his/her particular situation,
8) object to the processing of his/her personal data in cases referred to in Article 23 paragraph 1 point 4 and 5, should the controller intend to process the data for marketing purposes or to object to the transfer of the data to another controller,

See also “Personal data protection, case II SA/Wa 2821/11“.

Categories: Art. 16 PSEM | Art. 22 PPD | Art. 25 PPD | Inspector General for Personal Data Protection | Polish Act on Protection of Personal Data | Polish Act on Providing Services by Electronic Means | Polish courts | Polish institutions | Polish law | Polish Supreme Administrative Court | Voivodeship Administrative Court.