Archive for: Directive 95/46/EC

Personal data protection, I CSK 190/12

August 29th, 2013, Tomasz Rychlicki

The Supreme Court in its judgment of 8 November 2012 case file I CSK 190/12 held that without a doubt, the first name and surname constitute personal data of the individual, therefore, the important question arose, whether they belong to the scope of the individual’s privacy as understood in the provisions of Article 5(2) of the Polish Act of 6 September 2001 on Access to Public Information – API – (in Polish: Ustawa o dostępie do informacji publicznej), published in Journal of Laws (Dziennik Ustaw) No. 112, item 1198, with subsequent amendments.

Article 5. 1. The right to public information is subject to limitation to the extent and on the principles defined in the provisions on the protection of confidential information and on the protection of other secrets being statutorily protected.
2. The right to public information is subject to limitation in relation to privacy of a natural person or the secret of an entrepreneur. The limitation does not relate to the information on persons performing public functions, being connected with performing these functions, including the conditions of entrusting and performing these functions and in the event when a natural person or entrepreneur resigns from the right to which he was entitled to.

Previous opinions of the Supreme Court on the relationship between the right to protect of personal data and the right to privacy are not clear. They were formulated mainly from the point of view of the protection of personal interests as defined in Articles 23 and 24 of the Civil Code – CC – (in Polish: Kodeks Cywilny) of 23 April 1964, published in Journal of Laws (Dziennik Ustaw) No. 16, item 93, with subsequent amendments.

Article 23
The personal interests of a human being, in particular to health, dignity, freedom, freedom of conscience, surname or pseudonym, image, secrecy of correspondence, inviolability of home, and scientific, artistic, inventor’s and rationalizing achievements, shall be protected by civil law independent of protection envisaged in other provisions.

Article 24
§ 1 The person whose personal rights are threatened by someone else’s action, may require the desist of that action, unless it is not illegal. In the event of the infringement one may also require, the person who committed the violation, to fulfill the actions necessary to remove its effects, in particular, to make a statement of the relevant content and appropriate format. According to the conditions laid down in the Code one may also require monetary compensation or payment of an appropriate amount of money for a social purpose indicated.
§ 2 If as the result of a breach of personal rights one has suffered pecuniary prejudice, the aggrieved person may claim compensation based on general principles.
§ 3 The above shall not prejudice the entitlements provided by other regulations, in particular in copyright law and the patent (invention) law.

The Supreme Court in its judgment of 15 February 2008 case file I CSK 358/07 (published in OSNC 2009, no. 4, item 63) ruled that legal commentators and case law of the Constitutional Court agree that the right to protect of personal data is derived directly from personal rights such as human dignity and the right to privacy, citing judgments of the Polish Constitutional Tribunal of 19 February 2002 case file U 3/01 (published in OTK-A 2002, no. 1, item 3) and of 12 November 2002 case file SK 40/01 (published in OTK-A 2002, no. 6, item 81). Nowadays, the collection and processing of the personal data is technically relatively simple, therefore it is necessary to protect a person against uncontrolled collection and use of his or her personal data, often without the contribution or even awareness of the person concerned. For these reasons, the legislator specifically regulated the issues of data collection, processing, use and protection of personal data in the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), published in Journal of Laws (Dziennik Ustaw) of 29 October 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with subsequent amendments. While interpreting its provisions, one cannot ignore the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and its preamble that explicitly states that data-processing systems are designed to serve man, whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy. The Supreme Court in its judgment of 28 April 2004 III CK 442/02 (unpublished) stressed that when assessing whether there has been the breach of privacy protected by the law, this concept cannot be absolutized due to the degree of its generality, it requires interpretation, taking into account the specific circumstances of the situation. Events and circumstances that form the personal and family life can be classified as private sphere of life. The special nature of this area of man’s life justify the grant of its strong legal protection. However, this does not mean that any reference to a particular person was information in the field of his or her personal life. The regime of protection of privacy and personal data protection regime are therefore independent. Undoubtedly, when it comes to the relationships and the impact of these regimes, because in certain situations, the actual processing of personal data may result in a violation of personal interests in the form of the right to privacy, or protection of the right to privacy will required the objection to the use of personal data. It is difficult to unequivocally determine whether the disclosure of the first name and the surname of an individual by a local government violates his or her right to privacy. This problem can be resolved only while assessing particular circumstances of each case. In this case, the city was requested to disclose the names of individuals with whom it has entered into a contract of mandate and contract of work. One of these contracts concerned preparation and delivery of a lecture. It was difficult for the Court to accept that anonymization and hiding of the surname of a person giving such a lecture would have any meaning. Other agreements related to use of the electronic system of sociological analysis and organization of the conference. They were entered by specific individuals with a public body, which was the city. These people had to reckon with the fact that their personal data will not remain anonymous. For a person requesting access to public information related contracts entered by a local authority, names of parties to such agreements are often more important than the content, and it is understandable for obvious reasons. It would be difficult in this case to defend the view that the disclosure of names of people in the present context would be deemed as a limitation on the exercise of constitutional freedoms and rights of these persons. It had therefore to be assumed, that the disclosure of the names of persons entering civil contracts with a local authority does not affect the right to privacy of those persons referred to in Article 5(2) of the API.

See also “Polish regulations on personal data protection“, “Polish case law on personal data protection“.

Personal data protection, case I OSK 1827/11

August 29th, 2012, Tomasz Rychlicki

The Inspector General for Personal Data Protection (GIODO) in its decision of 24 September 2010, no. DIS/DEC-1134/38146/10 ordered the Polish company Info Veriti Polska Sp. z o.o. Obsługa Serwisu Internetowego Sp.J., the publisher of online database of Polish entrepreneurs, to inform the individuals whose data that were publicly available in sources such as Court’s Monitor and Economic Monitor and which have been collected and preserved by the Company, according to the information requirement referred to in Article 25(1) of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with subsequent amendments, within 3 months from the date on which this decision becomes final.

1. In case where the data have not been obtained from the data subject, the controller is obliged to provide the data subject, immediately after the recording of his/her personal data, with the following information:
1) the address of its seat and its full name, and in case the controller is a natural person about the address of his/her residence and his/her full name,
2) the purpose and the scope of data collection, and in particular, about the data recipients or categories of recipients,
3) the source of data,
4) the existence of the data subject’s right of access to his/her data and the right to rectify these data,
5) the powers resulting from Article 32 paragraph 1 point 7 and 8.

Furthermore, the GIODO ordered the Company to register the collection of personal data of customers (owners of e-mail addresses) within 30 days from the date on which the decision becomes final, to allow users of website to freely consent to the processing of their personal data for marketing purposes within 30 days from the date on which this decision becomes final, to create documentation establishing security policy and the intruction for management of IT system that used to process personal data, within 30 days from the date on which this decision becomes final, to grant the authorization to the processing of personal data to persons who are allowed to process personal data within 14 days from the date on which this decision becomes final, and to create a record of persons authorized to process personal data within 14 days from the date on which this decision becomes final. Info Veriti argued that the provisions of Article 25(1) of the PPO should not apply in its case because the provision of other law provides and allows for personal data collection without the need to notify the data subject. Such allowance happens in the case of laws that introduced a formal disclosure of public registers, that include records containing personal information. The formal disclosure of a registry means the right of everyone to access data in the register, without the need to show the legal or factual interest. Due to the widespread legitimacy in terms of access to recorded data, a person obtaining information from the register is not in any way identified during data acquisition. The Laws relating to public records and registers, also do not require explicit registration of the collected data, and there is no knowledge of the registration body of when and to whom the data were disclosed. Moreover, some registration authorities, on the basis of generally formulated principles of transparency, put the data from public records for public networks such as the Internet, which makes impossible to control access of who accessed such register. The GIODO noted that the PPD does not prohibit the creation of separate collections based on data from sources generally available, however, it does not mean that such collections are not subject to the provisions of the PPD. The Company receives data from the National Court Register in order to create a separate database, which uses for its own commercial purposes. In this way, Info Veriti Polska becomes the administrator of the collected data, therefore, as the controller, it is obliged to information requirements. The right of individuals to keep information regarding their situation and status in private, is constitutionally guaranteed, and may be restricted exclusively by laws that have the statutory rank (only Acts). The Act on the National Court Register (KRS) is just such an act. In this case, the record of a natural person entered to the KRS is publicly available, because such Register was created to ensure the transparency of the economic market in Poland. The persons referred to in the Act on the National Court Register, are therefore required to provide their data for inclusion in the register and they must also reckon with the disclosure. This does not mean, however, that they must agree to the use of their data for purposes other than the generally speaking, transparency of economic activity. However, the data controller that processes personal data should provide due care in order to protect the interests of the persons whose data were collected and in particular to ensure that the data were collected for specified and legitimate purposes and are not further processed in a way incompatible with those purposes. The GIODO also noted that the list of situations that allow for waive the requirement to provide information, referred to in 25(1) of the PPD has changed as a result of amendments to the Act that were made in 2004. The provision of Article 25(2) pt 2 that allowed to waive the abovementioned obligation in a situation where the data provided for collection are generally available, was repealed. For these reasons, it was obvious that the intention of the legislature was to require data controllers who collect data “generally available” to completing the duties arising out of the provision of Article 25(1) of the PPD.

The company filed a complaint to the Voivodeship Administrative Court in Warsaw against the decisions issued by the GIODO. Info Veriti requested the Court to decide on the invalidity, or their repeal, in addition, the Company has applied for stay of the execution of the contested decisions and the order to return the costs of proceedings. Infor Veirit claimed that the processed data is very limited, restricted to surname, the national identification number (PESEL), date of birth and functions performed in the entities disclosed in the KRS. Therefore, it is impossible to provide information to persons whose data are processed, because some of them have historical character. These are people who in the past served specific functions. The data administrator is not able to provide such individuals with the required information. The data controller does not process data allowing for direct contact with a person (e.g. home address), and sending information to the address of the entity (e.g. companies created according to the provisions of the Polish Code of Commercial Companies), which in the past served a given function, can not be considered for the execution of the decision. In order to comply with the decision, Info Veriti would need to gather additional categories of data to make contact and send the required information. However, such an obligation should clearly expressed in the decision, which has not happened. The Company has no legal basis for the acquisition of new categories of personal data. The deadline of three months that was ordered by the GIODO is unrealistic in order to collect the required contact data in relation to all of the data are included in the database. The Company noted that its database contains all the data entered in the National Court Register. The purpose of data entered in the National Court Register is closely related to business transactions, and the widespread availability of the registry should not be regarded as interference in the private sphere of the individual whose data is disclosed in the registry. There isn’t therefore a need to notify such persons regarding the process of collecting their personal data, as instruments of public-law on protection of personal data are treated as protection of the right to privacy. The person who serves or served in the bodies of commercial companies must accept that the data will be in an open public record to which access will have anyone interested in business. The purpose of transparency and certainty of economic activity, according to the legislator, prevails over the protection of the name, surname, date of birth and the PESEL number of the persons who performed specific functions in the bodies that were entered into the KRS. Info Veriti also disagreed with the opinion of the GIODO, which opposes the existence and goals of the KRS and data collection of the Company, the latter being also created in order to provide the transparency of economic activity. Services provided by the Company are based on data from public records and explicitly relate to economic activity of specific individuals. Such commercial processing of data previously collected by public entities is allowed by EU law, such as Directive 2003/98/EC of the European Parliament and of the Council of 17 November 2003 on the re-use of public sector information. Information on such entities contributes to the establishment of the internal market and creates a system ensuring undisturbed competition in that market. It is also emphasized that public sector information is an important starting material for products and services related to digital content, and more opportunities to re-use this information should allow European companies to use their potential and contribute to economic growth and job creation. As “information services” of Info Veriti are based on data obtained from public records, they fit into the goals provided in the recitals of the Directive 2003/98/EC. According to Infor Veirit, the consequences of the position taken in the decisions of the GIODO, which implies obligation to provide information to any person that collects data from the National Court Register, if there are situations referred to in Article 2 (1-2) of the PPD, are also unacceptable.

Article 2
1. The Act shall determine the principles of personal data processing and the rights of natural persons whose personal data is or can be processed as a part of a data filing system.
2. The Act shall apply to the processing of personal data in:
1) files, indexes, books, lists and other registers,
2) computer systems, also in case where data are processed outside from a data filing system.

Such requirement would have to be commonly executed in the course of trade in relation to a number of activities related to the acquisition of data from the National Court Register. Given the widespread use of copies of the KRS, that are used for instance to identify the persons authorized to represent the company at the conclusion of the contract, such an interpretation would lead to economic paralysis, and certainly also to the irrational (excessive) financial costs, in the name of privacy protection, which in the present case does not occur.

The Voivodeship Administrative Court in its judgment of 2 June 2011 case file II SA/Wa 720/11 dismissed the complaint. The Court held that the Polish legislator afforded the citizen’s right to privacy in Articles 47, 49 and 51 of the Constitution. This also includes the protection of personal data and privacy against excessive interference by others. The provision of Article 47 of the Constitution sets out the principle of the protection of private life, Article 49 provides for the protection of the correspondence, while the provision of Article 51 states that no one shall be obliged, except under the Act to disclose information concerning his person, a public authority may not acquire, collect and share information on citizens other than those necessary in a democratic state ruled by law, everyone has the right of access to official documents and it datasets. Limitation of this right may be established by statute (act), and to anyone has the right to request the correction or deletion of information incorrect, incomplete, or collected in a manner inconsistent with the Act. These regulations are expanded in the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with subsequent amendments, which in turn refers to the solutions contained in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. These instruments created a basic framework for data protection in the Republic of Poland. The PPD created statutory principle of the protection of personal data. In accordance with Article 1 of the PPD, any person has a right to have his/her personal data protected. The processing of personal data can be carried out in the public interest, the interest of the data subject, or the interest of any third party, within the scope and subject to the procedure provided for by the Act. The protection of personal data is a fundamental right of citizens in a democratic state of law. Protection of personal data is closely connected with the protection of private life and, therefore, it determines the freedom of the citizen. The right to protection of personal data, however, is not absolute and it is limited in the interests of the public or justified interests of others. However, since it is a citizen’s right, that determines a person’s sense of freedom, the exceptions allowing for the collection and use of personal data should be subject to strict interpretation. The legislature guided by the values of protection of constitutional rights cannot allow for a situation in which the law by the wider interpretation of the provisions relating to the processing of personal data, is violated. The provisions of the Act on the National Court Register lay down the rules of registration and the rules of disclosure of data. Such data are available electronically by the Central Information of the KRS or by viewing the register files in the appropriate departments of the Polish courts. These data are made available to any interested person, for the purposes of certainty of economic activity. The persons who undertakes an activity that is to be entered into the KRS, knows that the data is maintained by the State in the registry and data will be used only on the basis of the provisions relating to the functioning of the registry. Meanwhile, Info Veriti collects personal data and information disclosed in the register, such as surname, the PESEL number into its own database, in which data are processed. Data and information from the KRS are not intended for this purpose, and the people who share their personal information do not accept the fact that their personal data had been placed in another private database. When entrepreneurs decide to place their data into the KRS, they also have confidence that such data will be disclosed and used only in a manner permitted by the Act on the National Court Register. The legislature cannot allow for the situation that the protection of personal data contained in the KRS will not be limited to entities that wish to use the data for other purposes, and in a different way than permitted by the Act on the National Court Register. At this time, it would lead to a situation in which data from KRS could be used in an unrestricted way, against the will of the people entered into the register, for instance, in order to create a database for the marketing campaign. The court did not agree with the argument that the contested decision is contrary to the provisions of Directive 2003/98/EC. According to the court, the Directive does not apply directly to the Polish law, as EU directives are implemented into the law of a Member State and only then enter into force in the legal system. This Directive is not implemented to the Polish law, and Poland still works on the implementation. The court held that the contested decision is enforceable. Info Veriti builds its own database and has data that allow the Company to perform the information requirement to those who are in the database. It is possible because there are surnames and PESEL numbers of individuals, and businesses headquarters, where they perform given functions. Moreover, Info Veriti may use the services of the Central Bureau of Domiciliary. The fact that it is a big organizational task and it involves a large number of people does not mean that it is not feasible. By building a large database the Company had to be aware that in relation to the number of people it will have specific obligations according to the provisions of the PPD. Info Veriti filed a requested to stay the execution of the decisions.

The Supreme Administrative Court in its order of 30 September 2011 case file I OSK 1827/11 decided to stay the execution of both decisions.

Who is the controller in social networking sites?

February 14th, 2010, Tomasz Rychlicki

The question of who is the “controller” and the differences between a “controller” and “processor” as defined in the article 2(d) and (e) of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, in the context of social networking sites (SNS), are at least controversial not only in Polish case law. See for instance T. Zeggane, W. Maxwell, US and EU Authorities Review Privacy Threats On Social Networking Sites, Ent. L.R. 2008, 19(4), 69-74.

The second area requiring clarification is the concept of “data controller” in an SNS environment. Under European privacy law, the controller is the entity which determines the purposes and means of the processing of personal data. In an SNS context, there are two broad categories of data: the information that the user provides to the SNS platform to register (such as the user’s real name and email address), and the data that the user uploads onto his or her profile. The former is personal data which the SNS platform controls. The latter is “user generated content”, which the user controls and can choose to share (or not) with others. Some SNS platforms provide the user with tools to control the extent to which information such as photos, personal tastes and the like are used to develop targeted advertising. Where such tools exist, the argument can be made that the user (and not the SNS platform itself) is the “controller” of the content the user uploads onto the profile. The concept of data controller is the cornerstone of European privacy law. The concept of controller as it is traditionally interpreted does not fit easily into the SNS environment, where the user is the focal point

As you can read from the above, the authors suggest that the situation requires a clarification of the concept of “controller” in terms of SNS. A similar view was also presented in the report of the European Network and Information Security Agency (ENISA), “Security Issues and Recommendations for Online Social Networks“, PDF file, p. 25.

See also “Polish regulations on personal data protection” and “Polish case law on personal data protection“.

Personal data protection, case I OSK 667/09

February 13th, 2010, Tomasz Rychlicki

On 15 January 2008, Tomasz W. filed with the General Inspector for Personal Data Protection (GIODO) a complaint concerning an unauthorized processing of personal data carried out by the Polish company Nasza Klasa Sp. z o.o. from Wroclaw, the owner of website. He informed the GIODO, that this very popular Polish website on classmates, hosts a photo featuring his image together with a list of names of other photographed people attached to it. Tomasz W. has repeatedly appealed to the website administrators with the request to remove his name from the list. However, he received no response from Nasza Klasa company.

As a result of the investigation, the GIODO found that on 31 December 2007, a registered user of posted classmates’ photo featuring students of a primary school. On the same day, another registered user, placed the names of people who were portrayed at the photograph – including the name and surname of Tomasz W. On 2, 9 and 14 January 2008, Tomasz W. requested Nasza Klasa Sp. z o.o. the removal of his personal data.

In a decision of 27 May 2008, case file DOLiS/DEC-314/08/13239, the GIODO, relying on the provisions of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), published in Journal of Laws (Dziennik Ustaw) of 29 October 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with subsequent amendments, ruled that information on the applicant’s full name, school and class to which he attended, together with his image, are personal data and the data collector is Nasza Klasa Sp. z o.o.

However, the GIODO also ruled that it should be borne in mind that according to the provision of the Polish Act of 18 July 2002 on Providing Services by Electronic Means – PSEM – (in Polish: ustwa o świadczeniu usług droga elektroniczną), published in Journal of Laws (Dziennik Ustaw) No. 144, item. 1204 with subsequent amendments, Nasza Klasa sp. z o.o. provides electronic services for registered users of the portal website, consisting of the storage of data of these users in the computer system. This activity is the condition to legalize the processing of personal data in accordance with article 23(1) pt. 5 of the PPD. In addition, the GIODO found that in this case the applicant’s rights have not been violated, because the access to its data was limited to a group of people registered on website.

Tomasz W. asked the GIODO for the retrial. He pointed out that the reasons for the decision have many contradictions, inconsistencies and is ambiguous. He accused the GIODO of laconic and cursory treatment of his case. He again emphasized that his personal data have been published on the website without his knowledge or consent, in violation of his civil rights and liberties.

After the rehearing of the case, the GIODO annulled the contested decision, and discontinued the proceedings. GIODO claimed that the re-examination of the case leads to the conclusion that the disputed information about Tomasy W. did not fall within the definition of personal data. The name and surname have been given under his old image from many years ago. Hence, the combination of photos from the past, with a name and surname of a person and a primary school, which such person attended did not allow for the identification of a person without excessive costs and time. The findings that the disputed information is not personal data within the meaning of the PPD caused the proceedings in the matter to be groundless and on the basis of article 105 § 1 of the APC, it had to be discontinued.

Tomasz W. lodged a complaint with the Viovodeship Administrative Court in Warsaw. The complainant asked for annulment of the decision of first and second instance. Tomasz W. claimed the violation of the substantive law, i.e. article 6(1) of the PPD, through its improper interpretation, of article 32(1) pt 7 and 8 of that Act, by recognizing that Tomasz W. is not entitled to request cessation of the processing of his data and the right to object, and a breach of article 7 of the APC by not explaining all the relvant facts. Tomasz W. disagreed with the statement of the GIODO that questioned information about his person is not personal data within the meaning of the PPD. He stated that any information about an identified or identifiable individual is personal data. Furthermore, he argued that the claim of the GIODO that the data are available only for specific people – registered users of the portal is not acceptable, because has no mechanisms for verification of users identity, which makes the questioned data easily accessible for everyone. Moreover, Tomasz W. also argued that a registered user who does not know him would have some difficulty in identifying his person but such obstacles would not happen to a person who knows about Tomasy W., and is looking for additional information.

The Voivodeship Administrative Court in its judgment of 3 March 2009 case file II SA/Wa 1495/08 ruled that the GIODO erred in its decisions, because information about the name and surname of Tomasz W., combined with information about the name and address of the primary school and the determination of the class to which he attended in 1978/79, even if it was thirty years ago, are personal data. According to the Court provisions of article 1 of the PPD introduced the principle of autonomy of human information, meaning the protection of information about human being. This provision is a kind of emanation of the general right guaranteed by the Polish Constitution in article 47, according to which “Everyone shall have the right to legal protection of his private and family life, of his honour and good reputation and to make decisions about his personal life”. This means that the protection of personal data is related to the protection of privacy rights. This follows from the wording of article 6 of the PPD, indicating that the personal data concern identified or identifiable natural or legal person and that the identifiable is a person is one whose identity can be determined. From wording of that provisions the VAC concluded that personal data are data that identify a person’s identity. The VAC also relied on the content of recital 12 of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which emphasized the protection of all data relating to a person, and therefore also information about someones past.

(12) Whereas the protection principles must apply to all processing of personal data by any person whose activities are governed by Community law; whereas there should be excluded the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses

However, in recital 26 of the abovementioned Directive states that data protection rules must apply to any information concerning an identified or identifiable person. In order to determine whether a person is identifiable, all the means which can be used by the controller or any other person to identify a person, should be taken into the account. The rules of data protection do not apply to data rendered anonymously in such a way that a subject of the data can not be identified. The identification of a given person concerns also past information about a specific human being, by which information one can learn about such person’s identity. Accordingly, the VAC held that European law means the protection of personal data as the protection of all the facts concerning the past of a particular person, which corresponds with the content of article 6(2) of the PDP. So this means that such data would also be protected. Referring to the foregoing facts of Tomasz W. case, the VAC ruled that that website published his image and name. In the opinion of the court these are the personal data which are protected by the PPD, because on their basis one is able to identify given person.

Nasza Klasa sp. z o.o. filed a cassation complaint with the Supreme Administrative Court (SAC) challenging in entirety the judgment of the VAC. The Supreme Administrative Court in a judgment of 18 November 2009, case file I OSK 667/09, rejected the complaint. The SAC held that the primary issue arising in this case was whether a classmates’ picture that was taken thirty years ago, at which Tomasz W. is potrayed, in the circumstances of the case, can be analyzed to determine his identity without necessarily involving excessive resources or time, and therefore, whether the data disclosed in the photo in question, constitutes personal data within the meaning of article 6 of the PPD, and whether it should be protected.

The concept of “personal data” on the Polish law includes any information concerning an individual if it is possible to define its identity and its identification. Personal data is a set of messages about a particular person such integrated that it allows for its individualization. It includes at least information necessary for identification (name, surname, place of residence), but this is not restricted, because it also include further information, strengthening the degree of identification. Such information will also include pictures of the individual, even if they were taken in the past, allowing to identify a person. In a situation where such a photograph is presented with a name and surname of the person portrayed, in a place accessible to an unlimited number of entities, it must be considered that it constitutes personal data subject to protection under the PPD. Mainly, the objective evaluation criteria decides for the qualification of given information as personal data, but it also should comprise of all information, including extralinguistic (context), to which third party may have or has an access. A different approach to the presented issues would maginalize the importance of the laws and it would not relate to its designated function.

Thus it should be considered that the image of Tomasz W. portrayed at the photograph that was taken 30 years ago, affixed with the class, his name and surname, and then published at website constitutes personal data within the meaning of article 6(2) of the PPD, and the cassation complaint was not justified. The SAC also noted that the consent for the processing of personal data cannot be in any way implied.

The SAC also stressed the fact the Internet as a source of information is increasing on a unknown scale and importance. It provides an access to specific information to a vast number of persons and allows for any of its processing within the meaning of the PPD. At the same time there are not yet developed appropriate mechanisms for the protection of individual rights when those rights have been violated as a result of the disclosure of information on the Internet. Then, it is a great role of law enforcement bodies, including the Inspector General for Personal Data Protection in creating practice to comply with applicable laws also on the Internet. It is an unacceptablr situation in which the entity seeks to remove its image from a particular website, and the administration fails to take action to ensure the protection of civil rights. The image is one of the very personal property rights and lack of consent to its publication, if it is not a public person, is a sufficient reason to believe that regulations of the PPD apply, if the conditions set in the article 6(2) of the PPD have been met. There is a legal sequel to this story. See “Personal data protection, case II SA/Wa 1212/10“.

See also “Polish regulations on personal data protection” and “Polish case law on personal data protection“.