The Polish company Promedica Care Sp. z o.o requested the Inspector General for Personal Data Protection (GIODO) to issue a decision that would order Agora S.A., the owner of gazeta.pl website, to disclose IP addresses of users who posted negative comments regarding Promedica24.pl website. The GIODO decided that Agora S.A. should disclose requested information, although, it also noticed that the provisions of Article 29 of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with subsequent amendments, were repealed as of 7 March 2011.
1. The processing of data is permitted only if:
1) the data subject has given his/her consent, unless the processing consists in erasure of personal data,
2) processing is necessary for the purpose of exercise of rights and duties resulting from a legal provision,
3) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract,
4) processing is necessary for the performance of tasks provided for by law and carried out in the public interest,
5) processing is necessary for the purpose of the legitimate interests pursued by the controllers or data recipients, provided that the processing does not violate the rights and freedoms of the data subject.
However, these regulations should be still applied to proceedings initiated before the entry into force of the Act that repealed the above mentioned provisions, and there was no obstacle to justify the refusal to provide the requested data according to the provisions of Article 30 of the PPD.
The controller shall refuse the access to the personal data of the filing system to subjects and persons other than those referred to in Article 29 paragraph 1, if it would:
1) result in the disclosure of the information constituting a state secrecy,
2) pose a threat to national defence or security of the state, human life and health, or security and public order,
3) pose a threat to fundamental economic or financial interests of the state,
4) result in a substantial breach of personal interests of the data subjects or other persons.
The General Inspector did not agree with Agora S.A. that providing the requested data would infringe personal interests of the users of gazeta.pl website and its fora. The violation was only hypothetical, and was not supported by proper evidence. Agora S.A. argued that there are no legal instruments that would allow for monitoring the use of disclosed data, and this may lead to their use not only inconsistent with the purpose for which they were disclosed, but even to such use that is contrary to law. The GIODO noted that the absence of such instruments is not synonymous with the use of disclosed data contrary to the purpose for which it was made available. At the moment such data was disclosed, the Company will become the controller (administrator) as defined in the Article 7(4) of the PPD.
Whenever in this Act a reference is made to any of the following, it shall mean:
4) controller – shall mean a body, an organisational unit, an establishment or a person referred to in Article 3, who decides on the purposes and means of the processing of personal data.
According to the GIODO, the processing of these data will be subject to the regulations provided in the provisions of the PPD, in particular the obligation not to undergo further processing of the data collected that would not be in accordance with the objectives of the disclosure (so-called principle of expediency/purposefulness), and the control of data processing in compliance with the provisions on personal data protection will be still the competence of the Inspector General. Agora S.A. argued that the provisions of Article 18 of the Polish Act of 18 July 2002 on Providing Services by Electronic Means – PSEM – (in Polish: ustwa o świadczeniu usług droga elektroniczną), published in Journal of Laws (Dziennik Ustaw) No. 144, item. 1204 with subsequent amendments, should be applied in its case, not the provisions of the PPD.
1. The service provider may process the following personal data of the service recipient necessary for entering in, designing contents, amending or terminating legal relationship between them:
1) service recipient’s surname and names ,
2) his/her PESEL number (Personal Identification Number),
3) his/her permanent residence address,
4) his/her address for correspondence, if it is different than the address referred to in point 3,
5) data used for verifying the service recipient’s electronic signature ,
6) service recipient’s electronic addresses .
2. In order to effect contracts or other legal activity having been concluded with a service recipient, a service provider may process other data necessary due to nature (characteristics) of the service provided or way of its billing.
3. The service provider distinguishes and marks those data from among the data referred to in paragraph 2, as such being necessary for providing services by electronic means in accordance with art. 22 paragraph 1.
4. The service provider may process, upon consent of s service recipient and for the purposes set forth in art. 19 paragraph 2 point 2, other data concerning the service recipient, which are not necessary for providing service by electronic means.
5. The service provider may process the following data describing the way of using the service provided by electronic means by a service recipient (traffic data):
1) denotations identifying the service recipient assigned on the basis of the data referred to in paragraph 1,
2) denotations identifying the telecommunication network terminal or a teleinformation system, which have been used by a service recipient,
3) information about commencement, termination and a range of every usage of the service provided by electronic means,
4) information about using of the service provided by electronic means by a service recipient.
6. The service provider provides the information on data referred to in paragraphs 1 – 5 to the state authorities for the needs of legal proceedings carried on by them.
The provider is therefore obliged to provide information on all categories of data listed in Article 18(1-5) of the PSEM, to the State authorities for the purpose of the proceedings conducted by them. The Inspector General noted that the disclosed information should also be understood as such data. The GIODO said that the provision of Article 18(6) of the PSEM are constructed in general terms and do not indicate either the types of bodies that may request such information, or the types of proceedings: criminal, civil, administrative or enforcement. The Inspector General noted that the provision of Article 18(6) of the PSEM only requires the provider to disclose information to State bodies, and it should not be interpreted broadly as the legal norm that is prohibiting the disclosure of such information to other entities. The GIODO decided that if the legislature had the intention to limit the disclosure of the information referred to in Article 18(1-5) of the PSEM, only for the bodies referred to in Article18(6) of the Act, it would explicitly formulate this provision, for example, by using the phrase “only”, which is a legislative method of defining the closed circle of entities, as it was provided in other regulations, for instance in the Article 66g and Article 66j § 4 of the Polish Act of 17 June 1966 on Administrative Enforcement Proceedings, or in the Article 72(1) of the Polish Act 5 August 2010 on Protection of Classified Information and in Article 105(1) of the Polish Act of 29 August 1997 Banking Law. The Inspector General noted that the legislature did not use the phrase “only” in the provisions of Article 218 of the Criminal Proceedings Code – CRPC – (in Polish: Kodeks Postępowania Karnego) of 6 June 1997, Journal of Laws (Dziennik Ustaw) No 89, item 555, with subsequent amendments, in relation to an obligation to disclose, at the request contained in the order, to the court or the prosecutor any mail and packages and the data referred to in Article 180c and 180d of the Polish Act of 16 July 2000 on Telecommunications Law – TLA – (in Polish: Prawo telekomunikacyjne), published in Journal of Laws (Dziennik Ustaw) No 171, item 1800 with subsequent amendments.
1. The obligation referred to in Article 180a (1) shall cover the data necessary to:
1) trace the network termination point, telecommunications terminal equipment, an end user:
a) originating the call,
a) the date and time of a call and its duration,
b) the type of a call,
c) location of telecommunications terminal equipment.
2. The minister competent for communications in agreement with the minister competent for internal affairs, having regard to the type of telecommunications activities performed by operators of a public telecommunications network or providers of publicly available telecommunications services, data specified in paragraph 1, costs of data collection and retention as well as the need to avoid multiple retention and storage of the same data, shall specify, by means of an ordinance:
1) a detailed list of data referred to in paragraph 1;
2) types of public telecommunications network operators or providers of publicly available telecommunications services obliged to retain and store the data.
Telecommunications undertakings shall be obliged to provide conditions for access and retention as well as to make available at their own cost the data referred to in Article 159 (1) (1) and (3) to (5), in Article 161 and in Article 179 (9) related to the provided telecommunications service and processed by them to authorized entities, to the court and to the prosecutor, under the terms and observing the procedures specified in separate provisions.
The Inspector General stressed that the legislature has indicated that only the court or the prosecutor is allowed to open the correspondence, mail and data, or order for their opening.
§ 1. Offices, institutions and entities operating in post and telecommunications fields, customs houses, and transportation institutions and companies, shall be obligated to surrender to the court or state prosecutor upon demand included in their order, any correspondence or transmissions significant to the pending proceedings. Only the court and a state prosecutor shall be entitled to inspect them or to order their inspection.
The Inspector General also stressed that the above-cited provisions of the CRPC should not be applied in this case, because Promedica Care Sp. z o.o is not the authority conducting the proceedings in a criminal case, and the disclosed personal data will be used by it to initiate civil, not criminal proceedings. The GIODO indicated that Promedica may follow the procedure provided for in Article 29 of the PPD, and civil proceedings under the Civil Proceedings Code – CPC (in Polish: Kodeks Postępowania Cywilnego) of 17 November 1964, published in Journal of Laws (Dziennik Ustaw) No. 43, item 296, with subsequent amendments, regardless of actions taken under the criminal proceedings. Agora S.A. filed a complaint.
The Voivodeship Administrative Court in Warsaw in its judgment of 8 March 2012 II SA/Wa 2821/11 repealed the contested decision, and held that according to the provisions of Article 18(6) of the PSEM, the only one empowered to obtain data collected by the service provider within the meaning of that Act, are the State bodies. The PSEM does not contain any other provision, which serve as the basis for disclosure of data to the entities other than state authorities. The court stated that if the legislature’s intention was to give permission to obtain operational data to entities other than state authorities, it would have included a clear regulation providing for such permission in the PSEM. Data protection is a general rule. The service provider may process personal and operational data only in the extent and on terms defined in the PSEM. Only in the absence of regulations provided in the PSEM such processing may be based on an appropriate application of the PPD. The disclosure of data to third parties – such as Promedica Care – is breaking of that protection and as an exception to the rule cannot be interpreted broadly.
See also “Polish regulations on personal data protection“, “Polish case law on personal data protection“