Polish IP & IT law – copyright trademark computer internet telecomm

Archive for: Art. 22 PPD

Personal data protection, case II SA/Wa 152/13

July 29th, 2013, Tomasz Rychlicki

Jerzy S. requested the Inspector General for Personal Data Protection (GIODO) to issue a decision that would order Agora S.A., the owner of gazeta.pl website, to disclose IP addresses of a user, who under the nickname Marco wrote negative and defamatory comments regarding a sport article, that Jerzy S. published on gazeta.pl. This way Jerzy S. wanted to know real the name of Marco, in order to sue him or her for the infringement of personal rights based on the provisions of the Polish Civil Code. Jerze S. requested Agora to disclose such information, but the Company refused and cited provisions of Article 18(6) of the Polish Act of 18 July 2002 on Providing Services by Electronic Means – PSEM – (in Polish: ustwa o świadczeniu usług droga elektroniczną), published in Journal of Laws (Dziennik Ustaw) No. 144, item. 1204 with subsequent amendments.

Article 18
1. The service provider may process the following personal data of the service recipient necessary for entering in, designing contents, amending or terminating legal relationship between them:
1) service recipient’s surname and names ,
2) his/her PESEL number (Personal Identification Number),
3) his/her permanent residence address,
4) his/her address for correspondence, if it is different than the address referred to in point 3,
5) data used for verifying the service recipient’s electronic signature,
6) service recipient’s electronic addresses .
2. In order to effect contracts or other legal activity having been concluded with a service recipient, a service provider may process other data necessary due to nature (characteristics) of the service provided or way of its billing.
3. The service provider distinguishes and marks those data from among the data referred to in paragraph 2, as such being necessary for providing services by electronic means in accordance with art. 22 paragraph 1.
4. The service provider may process, upon consent of s service recipient and for the purposes set forth in art. 19 paragraph 2 point 2, other data concerning the service recipient, which are not necessary for providing service by electronic means.
5. The service provider may process the following data describing the way of using the service provided by electronic means by a service recipient (traffic data):
1) denotations identifying the service recipient assigned on the basis of the data referred to in paragraph 1,
2) denotations identifying the telecommunication network terminal or a teleinformation system, which have been used by a service recipient,
3) information about commencement, termination and a range of every usage of the service provided by electronic means,
4) information about using of the service provided by electronic means by a service recipient.
6. The service provider provides the information on data referred to in paragraphs 1 – 5 to the state authorities for the needs of legal proceedings carried on by them.

The Company argued that it is obliged to provide such information only to the state authorities. However, the GIODO ordered Agora to disclose requested IP addresses. The Voivodeship Administrative Court in Warsaw in its order of 20 February 2013 case file II SA/Wa 153/13 suspended execution of the contested decision. The GIODO filed complaint against this order, but the Supreme Administrative Court in its order of 23 April 2013 I OZ 269/13 dismissed it.

The Voivodeship Administrative Court in Warsaw in its judgment of 17 June 2013 case file II SA/Wa 153/13 dismissed the compliant filed by AGORA. The Court ruled that in this case the condition established in Article 25(1)(v) of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with subsequent amendments, was met.

Article 25
1. In case where the data have not been obtained from the data subject, the controller is obliged to provide the data subject, immediately after the recording of his/her personal data, with the following information:
1) the address of its seat and its full name, and in case the controller is a natural person about the address of his/her residence and his/her full name,
2) the purpose and the scope of data collection, and in particular, about the data recipients or categories of recipients,
3) the source of data,
4) the existence of the data subject’s right of access to his/her data and the right to rectify these data,
5) the powers resulting from Article 32 paragraph 1 point 7 and 8.

Article 32
1. The data subject has a right to control the processing of his/her personal data contained in the filing systems, and in particular he/she has the right to:
1) obtain extensive information on whether such system exists and to establish the controller’s identity, the address of its seat and its full name, and in case the controller is a natural person to obtain his/her address and his/her full name,
2) obtain information as to the purpose, scope, and the means of processing of the data contained in the system,
3) obtain information since when his/her personal data are being processed and communication to him/her in an intelligible form of the content of the data,
4) obtain information as to the source of his/her personal data, unless the controller is obliged to keep it confidential as a state, trade or professional secrecy,
5) obtain information about the means in which the data are disclosed, and in particular about the recipients or categories of recipients of the data,
5a) obtain information about the prerequisites of taking the decision referred to in Article 26a paragraph 2,
6) demand the data to be completed, updated, rectified, temporally or permanently suspended or erased, in case they are not complete, outdated, untrue or collected with the violation of the act, or in case they are no longer required for the purpose for which they have been collected,
7) make a justified demand in writing, in cases referred to in Article 23 paragraph 1 point 4 and 5, for the blocking of the processing of his/her data, due to his/her particular situation,
8) object to the processing of his/her personal data in cases referred to in Article 23 paragraph 1 point 4 and 5, should the controller intend to process the data for marketing purposes or to object to the transfer of the data to another controller,

Personal data protection, case II SA/Wa 2037/10

May 12th, 2011, Tomasz Rychlicki

The Polish branch of McDonald’s Corp. has made a promotional campaign based on the issuance of the so-called “bonificards” i.e. discount cards entitling the holder to purchase certain McDonald’s products at a reduced price. Only employees and business partners were allowed to use such cards. The terms of the promotion explicitly stated that the cards cannot be resold. McDonald’s learned that cards were offered for sale or as a free bonus to other items sold on Allegro – Polish Internet auctions website.

McDonald’s requested Allegro to disclose personal data of persons engaged in the above mentioned auctions, on the grounds that these buyers and sellers violated the terms and rules of promotion, and thus McDonald’s intended to take steps to – on one hand – to deprive sellers of their wrongfully obtained benefits, on the other hand – to take away all bonificards from people who bought them. Allegro refused to provide requested data, indicating that there was no reason to assume that there was any kind of illegal action, arguing that disclosure may be classified as unlawful conduct of the controller that violates personal interests of the users and that may result in Allegro’s responsibility that is based on civil law regulations.

McDonald’s requested the Inspector General for Personal Data Protection to order Allegro the disclosure of information previously requested. The GIODO refused and pointed out that in this case the interests of McDonald’s cannot prevail over the interests of persons affected by the request. The disclosure of such data would be, in fact, too far-reaching interference with the privacy of the person concerned. McDonald’s filed a complaint against these decisions.

The Voivodeship Administrative Court in Warsaw in its judgment of 16 March 2011 case file II SA/Wa 2037/10 overruled GIODO’s decisions. The VAC held that McDonald’s has the right to know who offers promotion cards at online auctions provided by Allegro. The Court ruled that the provisions of the PPD cannot be interpreted as meaning that the disclosure of personal data of a person who offer to sell someone else’s property, violates that person’s interests. The protection of interests of one person cannot be done without prejudice to the rights of others. Especially, when such persons knew that they were trying to dispose of someone’s else things whose value was measured in money (the value of the Company’s products that were available in the promotional terms). The court ordered to reconsider the case, where the GIODO shall take into account all comments made by the VAC. The GIODO decided to file a cassation complaint.

The Supreme Administrative Court in its judgments case files I OSK 834/11 and I OSK 1137/11 agreed with the GIODO. The Court held that in the case of electronic services, personal data may be disclosed only for the purposes of criminal proceedings.

Personal data protection, case I OSK 756/09

July 11th, 2010, Tomasz Rychlicki

A former entrepreneur (natural person) requested a telecommunications company to remove his personal data that were used for marketing purposes. The company did not want to take into account the above-mentioned demands, arguing that the rights provided in Article 33 of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with subsequent amendments, are not afforded for persons who perform or performed professional business activity (entrepreneurs).

Article 33
1. At the request of the data subject, within the period of 30 days, the controller shall be obliged to notify the data subject about his/her rights, and provide him/her with the information referred to in Article 32 paragraph 1 point 1-5a as regards his/her personal data, and in particular specify in an intelligible form:
1) the category of personal data contained in the file,
2) the means of data collection,
3) the purpose and the scope of data processing,
4) the recipients of the data and the scope of access they have been granted.
2. At the request of the data subject, the information referred to in paragraph 1 shall be given in writing.

The Supreme Administrative Court in its judgment of 15 March 2010 case file I OSK 756/09 held that provisions of Article 6 of the PPD does not differentiate the rights of individuals, depending on whether they are performing business activity or not. In this situation, there was no reason to exclude information about natural persons conducting business/economic activity from the protection guaranteed by the PPD.

Article 6
1. Within the meaning of the Act personal data shall mean any information relating to an identified or identifiable natural person.
2. An identifiable person is the one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.
3. A piece of information shall not be regarded as identifying where the identification requires an unreasonable amount of time, cost and manpower.

Personal data protection, case II SA/Wa 71/07

February 12th, 2010, Tomasz Rychlicki

A lawyer representing one Polish entrepreneur, and as you already know personal data of the parties are removed from Polish courts’ judgments, requested the General Inspector for Personal Data Protection (GIODO) to issue an order to Home.pl company from Szczecin, to disclose personal data such as name, surname, the firm, address, office’s seat, phone number and e-mail address of a person, which had only published its caller id, and who registered a certain Internet domain name. The lawyer stated that his client is claiming the right to use the questioned domain name and the requested information is necessary for the initation of the arbitration proceedings before the Court of Conciliation at the the Polish Chamber of Information Technology and Telecommunications.

Home.pl refused to provide the abovementioned personal data, arguing that the parties of the legal relationship arising from the fact of the registration and maintenance of Internet domain names are the Research and Academic Computer Network (in Polish: Naukowa i Akademicka Sieć Komputerowa) – the national registry of the .pl domain, and the domain name subscriber.

The GIODO performed an investigation based on the administrative proceedings regulations. The GIODO did an inspection of the Company’s headquarters and found that Home.pl maintains a separate collection of data of subscribers who have registered their domain names in NASK through Home.pl services. NASK is the national domain name registrar, while Home.pl arranges for the registration and maintenance of Internet domain names. Home.pl represents an applicant for the domain name registration before NASK. A natural or legal person and Home.pl have to establish a legal relationship based on a registration contract in order to register the domain name in NASK. The legal relationship is based on registering and maintaining of the internet domain name. The GIODO found that in this case, the contested domain name was registered by a natural person.

In September 2006, the General Inspector for Personal Data Protection issued an administrative decision which ordered Home.pl to disclose personal data of the individual who registered the Internet domain name in question, the name, surname, address, phone number and e-mail address. Home.pl requested for a retrial of the case. The GIODO upheld the decision and Home.pl filed a complaint against it.

The Voivodeship Administrative Court (VAC) in Warsaw in its judgment of 30 Novmeber 2007 case file II SA/Wa 71/07 ruled that the complaint was based on Article 29(2) in connection with Article 22 of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), published in Journal of Laws (Dziennik Ustaw) of 29 October 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with subsequent amendments.

Article 29
1. In case of providing the access to the data for the purposes other than including into the data filing system, the controller shall disclose the data kept in the data filing system to persons or subjects authorised by the law.
2. Personal data, exclusive of data referred to in Article 27 paragraph 1, may also be disclosed, for the purposes other than including into the data filing system, to persons and subjects other than those referred to in paragraph 1 above, provided that such persons or subjects present reliably their reasons for being granted the access to the data and that granting such access will not violate the rights and freedoms of the data subjects.
3. Personal data are disclosed at written and justified requests, unless the provisions of another law state otherwise. Such requests should include information allowing for identification of the requested personal data within the filing system and indicating their scope and purpose.
4. Disclosed personal data shall be used only pursuant to the purpose for which they have been disclosed.
(…)
Article 22
The proceedings with respect to the matters regulated by this Act shall be conducted pursuant to the provisions of the Code of Administrative Procedure, unless other provisions of the law state otherwise.

According to the VAC, the provisions of Article 29(1) and (2) allow third parties to request the disclosure of personal data for purposes other than inclusion in the collection. It should be noted that these provisions being in force until 1 May 2004, gave no grounds to demand the disclosure if the controller was the private sector. This situation changed after the amendment of 22 January 2004. The Court noted that the request for disclosure of personal data may be filed by any person i.e. natural person, any organizational unit, both public and private. It is important that the possesion of personal data is necessary to achieve intended goals, and the request for personal data is credible and reasonable. Such request does not require a collector to disclosure personal data because it must assess whether the conditions have been met to provide such data according to provisions of Article 29 of the PPD.

1. In case of providing the access to the data for the purposes other than including into the data filing system, the controller shall disclose the data kept in the data filing system to persons or subjects authorised by the law.
2. Personal data, exclusive of data referred to in Article 27 paragraph 1, may also be disclosed, for the purposes other than including into the data filing system, to persons and subjects other than those referred to in paragraph 1 above, provided that such persons or subjects present reliably their reasons for being granted the access to the data and that granting such access will not violate the rights and freedoms of the data subjects.
3. Personal data are disclosed at written and justified requests, unless the provisions of another law state otherwise. Such requests should include information allowing for identification of the requested personal data within the filing system and indicating their scope and purpose.
4. Disclosed personal data shall be used only pursuant to the purpose for which they have been disclosed.

However, the VAC stressed that fact that collector’s discretion cannot mean its arbitrariness. In the case of the unfounded refusal to provide personal data according Article 29 (2) of the PPD, the General Inspector for Personal Data Protection shall have the right – in accordance with Article 18(1) pt. 2 of the PPD – to require the disclosure of personal data.

1. In case of any breach of the provisions on personal data protection, the Inspector General ex officio or upon a motion of a person concerned, by means of an administrative decision, shall order to restore the proper legal state, and in particular:
(…)
2) to complete, update, correct, disclose, or not to disclose personal data,

Undoubtedly, the request for the disclosure of personal data must be credible and legitimate. Thus, if such request is do not precluded by provisions of article 27 of the PPD, the collector must disclose such data.

1. The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, party or trade-union membership, as well as the processing of data concerning health, genetic code, addictions or sex life and data relating to convictions, decisions on penalty, fines and other decisions issued in court or administrative proceedings shall be prohibited.
2. Processing of the data referred to in paragraph 1 above shall not constitute a breach of the Act where:
1) the data subject has given his/her written consent, unless the processing consists in erasure of personal data,
2) the specific provisions of other statute provide for the processing of such data without the data subject’s consent and provide for adequate safeguards,
3) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his/her consent until the establishing of a guardian or a curator,
4) processing is necessary for the purposes of carrying out the statutory objectives of churches and other religious unions, associations, foundations, and other non-profitseeking organisations or institutions with a political, scientific, religious, philosophical, or trade-union aim and provided that the processing relates solely to the members of those organisations or institutions or to the persons who have a regular contact with them in connection with their activity and subject to providing appropriate safeguards of the processed data,
5) processing relates to the data necessary to pursue a legal claim,
6) processing is necessary for the purposes of carrying out the obligations of the controller with regard to employment of his/her employees and other persons, and the scope of processing is provided by the law,
7) processing is required for the purposes of preventive medicine, the provision of care or treatment, where the data are processed by a health professional subject involved in treatment, other health care services, or the management of health care services and subject to providing appropriate safeguards,
8) the processing relates to those data which were made publicly available by the data subject,
9) it is necessary to conduct scientific researches including preparations of a thesis required for graduating from university or receiving a degree; any results of scientific researches shall not be published in a way which allows identifying data subjects,
10) data processing is conducted by a party to exercise the rights and duties resulting from decisions issued in court or administrative proceedings.

The Court had to consider the question of whether the application met the conditions set in Article 29 of the PPD. The legal representative proved that, the disclosure of personal data of a person who registered the disputed domain because was necessary for the initation of the arbitration proceedings before the Court of Conciliation at the the Polish Chamber of Information Technology and Telecommunications. The Court noted that the arbitration proceedings are held in accordance with Article 1188 § 1 of the Civil Proceedings Code – CPC – (in Polish: Kodeks Postępowania Cywilnego) of 17 November 1964, published in Journal of Laws (Dziennik Ustaw) No 43, item 296, with subsequent amendments. The proceedings before the Court of Conciliation starts with the lodging of the statement of claim (the suit), which means that the suit should comply with the conditions laid down in Article 187 § 1 of the CPC. Under that provision, the statement of claim should meet the requirements of the pleading, and it also shall include: clearly defined demand in matters of property rights and the value of the claim, unless the case concerns the amount of money. The suit shall include all facts justifying the request and, if necessary, to justify the jurisdiction of the court. In accordance with Article 126 § 1 pt. 1 of the CPC, every pleading shall also contain, inter alia, the designation of the court to which it is addressed, the name or names of the parties, their legal representatives and/or agents. Therefore, the essential element of the claim for infringement of personal rights is to show the person against whom the request is addressed, i.e. the defendant in future proceedings for infringement of personal rights, and defendant’s address. The VAC found that the request in the Home.pl case was fully justified. The Court also confirmed that Home.pl is the controller within the meaning of Article 7(4) of the PPD, because according to the agreement with NASK, Home.pl decides on the purposes and means of the processing of personal data related to people who registered domain names. Thus, the party of the case was Home.pl, not NASK.