Polish IP & IT law – copyright trademark computer internet telecomm

Archive for: Art. 23 PPD

Personal data protection, I CSK 190/12

August 29th, 2013, Tomasz Rychlicki

The Supreme Court in its judgment of 8 November 2012 case file I CSK 190/12 held that without a doubt, the first name and surname constitute personal data of the individual, therefore, the important question arose, whether they belong to the scope of the individual’s privacy as understood in the provisions of Article 5(2) of the Polish Act of 6 September 2001 on Access to Public Information – API – (in Polish: Ustawa o dostępie do informacji publicznej), published in Journal of Laws (Dziennik Ustaw) No. 112, item 1198, with subsequent amendments.

Article 5. 1. The right to public information is subject to limitation to the extent and on the principles defined in the provisions on the protection of confidential information and on the protection of other secrets being statutorily protected.
2. The right to public information is subject to limitation in relation to privacy of a natural person or the secret of an entrepreneur. The limitation does not relate to the information on persons performing public functions, being connected with performing these functions, including the conditions of entrusting and performing these functions and in the event when a natural person or entrepreneur resigns from the right to which he was entitled to.

Previous opinions of the Supreme Court on the relationship between the right to protect of personal data and the right to privacy are not clear. They were formulated mainly from the point of view of the protection of personal interests as defined in Articles 23 and 24 of the Civil Code – CC – (in Polish: Kodeks Cywilny) of 23 April 1964, published in Journal of Laws (Dziennik Ustaw) No. 16, item 93, with subsequent amendments.

Article 23
The personal interests of a human being, in particular to health, dignity, freedom, freedom of conscience, surname or pseudonym, image, secrecy of correspondence, inviolability of home, and scientific, artistic, inventor’s and rationalizing achievements, shall be protected by civil law independent of protection envisaged in other provisions.

Article 24
§ 1 The person whose personal rights are threatened by someone else’s action, may require the desist of that action, unless it is not illegal. In the event of the infringement one may also require, the person who committed the violation, to fulfill the actions necessary to remove its effects, in particular, to make a statement of the relevant content and appropriate format. According to the conditions laid down in the Code one may also require monetary compensation or payment of an appropriate amount of money for a social purpose indicated.
§ 2 If as the result of a breach of personal rights one has suffered pecuniary prejudice, the aggrieved person may claim compensation based on general principles.
§ 3 The above shall not prejudice the entitlements provided by other regulations, in particular in copyright law and the patent (invention) law.

The Supreme Court in its judgment of 15 February 2008 case file I CSK 358/07 (published in OSNC 2009, no. 4, item 63) ruled that legal commentators and case law of the Constitutional Court agree that the right to protect of personal data is derived directly from personal rights such as human dignity and the right to privacy, citing judgments of the Polish Constitutional Tribunal of 19 February 2002 case file U 3/01 (published in OTK-A 2002, no. 1, item 3) and of 12 November 2002 case file SK 40/01 (published in OTK-A 2002, no. 6, item 81). Nowadays, the collection and processing of the personal data is technically relatively simple, therefore it is necessary to protect a person against uncontrolled collection and use of his or her personal data, often without the contribution or even awareness of the person concerned. For these reasons, the legislator specifically regulated the issues of data collection, processing, use and protection of personal data in the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), published in Journal of Laws (Dziennik Ustaw) of 29 October 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with subsequent amendments. While interpreting its provisions, one cannot ignore the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and its preamble that explicitly states that data-processing systems are designed to serve man, whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy. The Supreme Court in its judgment of 28 April 2004 III CK 442/02 (unpublished) stressed that when assessing whether there has been the breach of privacy protected by the law, this concept cannot be absolutized due to the degree of its generality, it requires interpretation, taking into account the specific circumstances of the situation. Events and circumstances that form the personal and family life can be classified as private sphere of life. The special nature of this area of man’s life justify the grant of its strong legal protection. However, this does not mean that any reference to a particular person was information in the field of his or her personal life. The regime of protection of privacy and personal data protection regime are therefore independent. Undoubtedly, when it comes to the relationships and the impact of these regimes, because in certain situations, the actual processing of personal data may result in a violation of personal interests in the form of the right to privacy, or protection of the right to privacy will required the objection to the use of personal data. It is difficult to unequivocally determine whether the disclosure of the first name and the surname of an individual by a local government violates his or her right to privacy. This problem can be resolved only while assessing particular circumstances of each case. In this case, the city was requested to disclose the names of individuals with whom it has entered into a contract of mandate and contract of work. One of these contracts concerned preparation and delivery of a lecture. It was difficult for the Court to accept that anonymization and hiding of the surname of a person giving such a lecture would have any meaning. Other agreements related to use of the electronic system of sociological analysis and organization of the conference. They were entered by specific individuals with a public body, which was the city. These people had to reckon with the fact that their personal data will not remain anonymous. For a person requesting access to public information related contracts entered by a local authority, names of parties to such agreements are often more important than the content, and it is understandable for obvious reasons. It would be difficult in this case to defend the view that the disclosure of names of people in the present context would be deemed as a limitation on the exercise of constitutional freedoms and rights of these persons. It had therefore to be assumed, that the disclosure of the names of persons entering civil contracts with a local authority does not affect the right to privacy of those persons referred to in Article 5(2) of the API.

Personal data protection, case IX Nc 1850/11

April 14th, 2012, Tomasz Rychlicki

The Regional Court in Wrocław in its judgment of 2 February 2012 case file IX Nc 1850/11 held that that there was no reason to accept the view that electronic services providers are required to bear costs for rendering information on given data to the state authorities for the needs of legal proceedings carried on by them. Therefore, the court ruled that the Police has to pay to the company that operates social-networking site for gathering and processing requested data and information, according to the specifiaction that was received from the Police.

Personal data protection, case II SA/Wa 1009/11

December 28th, 2011, Tomasz Rychlicki

A Polish farmer who owns an agriculture tourism farm and is advertising his services and business on a personal website, has found negative comments about his services at one of the Internet forum websites. He asked the administrator of the forum to remove his personal data. Some posts have been removed, but the farmer has demanded the removal of all statements and comments, and the access to personal data of forum’s users. He requested the Inspector General for Personal Data Protection (GIODO) to order the forum administrator to remove all comments and to disclose all necessary personal data. The GIODO refused to issue such a decision and ruled that the farmer himself published such information as his name and address on his website in connection to the conducted economic activity. According to the GIODO, the processing of information on the farmer’s name on the Internet forum website, has its justification in Article 23(1)(v) of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with subsequent amendments.

1. The processing of data is permitted only if:
1) the data subject has given his/her consent, unless the processing consists in erasure of personal data,
2) processing is necessary for the purpose of exercise of rights and duties resulting from a legal provision,
3) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract,
4) processing is necessary for the performance of tasks provided for by law and carried out in the public interest,
5) processing is necessary for the purpose of the legitimate interests pursued by the controllers or data recipients, provided that the processing does not violate the rights and freedoms of the data subject.

According to the GIODO, the purpose of the legitimate interests is based on providing a service that allows for posting on the internet forum. The dissatisfied farmer filed a complaint against this decision.

The Voivodeship Administrative Court in its judgment of 16 November 2011 case file II SA/Wa 1009/11 dismissed it and decided that personal data published on a website that advertises agritourism services, are closely related to his business activities, and therefore subject to much weaker protection. These services may be subject to different assessments of people using them, there may be also some negative comments. The Court noted that the farmer could file a civil suit for the infringement of his interests against persons who wrote such comments.

Personal data protection, case II SA/Wa 2037/10

May 12th, 2011, Tomasz Rychlicki

The Polish branch of McDonald’s Corp. has made a promotional campaign based on the issuance of the so-called “bonificards” i.e. discount cards entitling the holder to purchase certain McDonald’s products at a reduced price. Only employees and business partners were allowed to use such cards. The terms of the promotion explicitly stated that the cards cannot be resold. McDonald’s learned that cards were offered for sale or as a free bonus to other items sold on Allegro – Polish Internet auctions website.

McDonald’s requested Allegro to disclose personal data of persons engaged in the above mentioned auctions, on the grounds that these buyers and sellers violated the terms and rules of promotion, and thus McDonald’s intended to take steps to – on one hand – to deprive sellers of their wrongfully obtained benefits, on the other hand – to take away all bonificards from people who bought them. Allegro refused to provide requested data, indicating that there was no reason to assume that there was any kind of illegal action, arguing that disclosure may be classified as unlawful conduct of the controller that violates personal interests of the users and that may result in Allegro’s responsibility that is based on civil law regulations.

McDonald’s requested the Inspector General for Personal Data Protection to order Allegro the disclosure of information previously requested. The GIODO refused and pointed out that in this case the interests of McDonald’s cannot prevail over the interests of persons affected by the request. The disclosure of such data would be, in fact, too far-reaching interference with the privacy of the person concerned. McDonald’s filed a complaint against these decisions.

The Voivodeship Administrative Court in Warsaw in its judgment of 16 March 2011 case file II SA/Wa 2037/10 overruled GIODO’s decisions. The VAC held that McDonald’s has the right to know who offers promotion cards at online auctions provided by Allegro. The Court ruled that the provisions of the PPD cannot be interpreted as meaning that the disclosure of personal data of a person who offer to sell someone else’s property, violates that person’s interests. The protection of interests of one person cannot be done without prejudice to the rights of others. Especially, when such persons knew that they were trying to dispose of someone’s else things whose value was measured in money (the value of the Company’s products that were available in the promotional terms). The court ordered to reconsider the case, where the GIODO shall take into account all comments made by the VAC. The GIODO decided to file a cassation complaint.

The Supreme Administrative Court in its judgments case files I OSK 834/11 and I OSK 1137/11 agreed with the GIODO. The Court held that in the case of electronic services, personal data may be disclosed only for the purposes of criminal proceedings.

Personal data protection, case II SA/Wa 1212/10

February 4th, 2011, Tomasz Rychlicki

The case of Tomasz W. and his image treated as personal data still continues. See “Personal data protection, case I OSK 667/09“. GIODO annulled its earlier decision, however it also refused to take account Tomasz W. requests in its new decision. GIODO ruled that personal data (photos and captions) of Tomasz W. are not presented on the website, and are not publicly available because they were removed from the specified address. GIODO also noted that Nasza-Klasa is still processing the personal data treating it as evidence, because it keeps them on its servers and in the system’s memory. GIODO finally held that the Company, as controller, is processing these data under provisions of Article 23(1)(v) of the PPD, under which such the processing of data is permitted because it is necessary for the purpose of the legitimate interests pursued by the controller and that the processing does not violate the rights and freedoms of the data subject. Among the reasons justifying the data processing, GIODO mentioned the possibility of establishing the responsibility of the recipient for violations of the Terms of Service that were set by the Company. This judgment is not final yet. GIODO filed a cassation complaint.

The Voivodeship Administrative Court in Warsaw in its judgment of 1 December 2010 case file II SA/Wa 1212/10 ruled that, these circumstances do not fulfill the conditions for legitimate interests of data processing. It should be noted that the condition relates to the existing and unquestionable situation, so if there is a need to demonstrate a need to claim in business, not a situation where the data are processed for eventual trial and the possible need to prove that personal data obtained without the consent of the person concerned shall be processed in accordance with the law. The Court also noted that Tomasz W. only announced but he did not initiate any courts proceedings against Nasza-Klasa. Therefore, according to the Court, Nasza-Klasa was not allowed to process personal data only to protect itself against any future and uncertain claims mentioned by Tomasz W. Otherwise, there are doubts how long to process personal data if Tomasz W. fails to comply with his announcement.

Personal data protection, case I OSK 633/08

March 11th, 2010, Tomasz Rychlicki

The Supreme Administrative Court in its judgment of 3 July 2009 case file I OSK 633/08 held that the processing/storage/retention of personal data in backup copies of bank’s IT system is nothing but the processing of these data, and such processing is possible only in all cases defined by the provisions of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with subsequent amendments. In case, where the credit agreement was not concluded, the processing of personal data in backup copies has no justification in the provisions of the PPD and there is no such situation as referred in Article 26 of the PPD.

Article 26
1. The controller performing the processing of data should protect the interests of data subjects with due care, and in particular to ensure that:
1) the data are processed lawfully,
2) the data are collected for specified and legitimate purposes and no further processed in a way incompatible with the intended purposes, subject to the provisions of paragraph 2 below,
3) the data are relevant and adequate to the purposes for which they are processed,
4) the data are kept in a form which permits identification of the data subjects no longer than it is necessary for the purposes for which they are processed.
2. The processing of data, for the purpose other than intended at the time of data collection is allowed provided that it does not violate the rights and freedoms of the data subject and is done:
1) for the purposes of scientific, didactic, historical or statistical research,
2) subject to the provisions of Article 23 and Article 25.

The SAC also ruled that such processing is also not justified by the provisions of the Act on Banks Law.

Personal data protection, case I OSK 667/09

February 13th, 2010, Tomasz Rychlicki

On 15 January 2008, Tomasz W. filed with the General Inspector for Personal Data Protection (GIODO) a complaint concerning an unauthorized processing of personal data carried out by the Polish company Nasza Klasa Sp. z o.o. from Wroclaw, the owner of nasza-klasa.pl website. He informed the GIODO, that this very popular Polish website on classmates, hosts a photo featuring his image together with a list of names of other photographed people attached to it. Tomasz W. has repeatedly appealed to the website administrators with the request to remove his name from the list. However, he received no response from Nasza Klasa company.

As a result of the investigation, the GIODO found that on 31 December 2007, a registered user of nasza-klasa.pl posted classmates’ photo featuring students of a primary school. On the same day, another registered user, placed the names of people who were portrayed at the photograph – including the name and surname of Tomasz W. On 2, 9 and 14 January 2008, Tomasz W. requested Nasza Klasa Sp. z o.o. the removal of his personal data.

In a decision of 27 May 2008, case file DOLiS/DEC-314/08/13239, the GIODO, relying on the provisions of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), published in Journal of Laws (Dziennik Ustaw) of 29 October 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with subsequent amendments, ruled that information on the applicant’s full name, school and class to which he attended, together with his image, are personal data and the data collector is Nasza Klasa Sp. z o.o.

However, the GIODO also ruled that it should be borne in mind that according to the provision of the Polish Act of 18 July 2002 on Providing Services by Electronic Means – PSEM – (in Polish: ustwa o świadczeniu usług droga elektroniczną), published in Journal of Laws (Dziennik Ustaw) No. 144, item. 1204 with subsequent amendments, Nasza Klasa sp. z o.o. provides electronic services for registered users of the portal website, consisting of the storage of data of these users in the computer system. This activity is the condition to legalize the processing of personal data in accordance with article 23(1) pt. 5 of the PPD. In addition, the GIODO found that in this case the applicant’s rights have not been violated, because the access to its data was limited to a group of people registered on nasza-klasa.pl website.

Tomasz W. asked the GIODO for the retrial. He pointed out that the reasons for the decision have many contradictions, inconsistencies and is ambiguous. He accused the GIODO of laconic and cursory treatment of his case. He again emphasized that his personal data have been published on the nasza-klasa.pl website without his knowledge or consent, in violation of his civil rights and liberties.

After the rehearing of the case, the GIODO annulled the contested decision, and discontinued the proceedings. GIODO claimed that the re-examination of the case leads to the conclusion that the disputed information about Tomasy W. did not fall within the definition of personal data. The name and surname have been given under his old image from many years ago. Hence, the combination of photos from the past, with a name and surname of a person and a primary school, which such person attended did not allow for the identification of a person without excessive costs and time. The findings that the disputed information is not personal data within the meaning of the PPD caused the proceedings in the matter to be groundless and on the basis of article 105 § 1 of the APC, it had to be discontinued.

Tomasz W. lodged a complaint with the Viovodeship Administrative Court in Warsaw. The complainant asked for annulment of the decision of first and second instance. Tomasz W. claimed the violation of the substantive law, i.e. article 6(1) of the PPD, through its improper interpretation, of article 32(1) pt 7 and 8 of that Act, by recognizing that Tomasz W. is not entitled to request cessation of the processing of his data and the right to object, and a breach of article 7 of the APC by not explaining all the relvant facts. Tomasz W. disagreed with the statement of the GIODO that questioned information about his person is not personal data within the meaning of the PPD. He stated that any information about an identified or identifiable individual is personal data. Furthermore, he argued that the claim of the GIODO that the data are available only for specific people – registered users of the portal is not acceptable, because nasza-klasa.pl has no mechanisms for verification of users identity, which makes the questioned data easily accessible for everyone. Moreover, Tomasz W. also argued that a registered user who does not know him would have some difficulty in identifying his person but such obstacles would not happen to a person who knows about Tomasy W., and is looking for additional information.

The Voivodeship Administrative Court in its judgment of 3 March 2009 case file II SA/Wa 1495/08 ruled that the GIODO erred in its decisions, because information about the name and surname of Tomasz W., combined with information about the name and address of the primary school and the determination of the class to which he attended in 1978/79, even if it was thirty years ago, are personal data. According to the Court provisions of article 1 of the PPD introduced the principle of autonomy of human information, meaning the protection of information about human being. This provision is a kind of emanation of the general right guaranteed by the Polish Constitution in article 47, according to which “Everyone shall have the right to legal protection of his private and family life, of his honour and good reputation and to make decisions about his personal life”. This means that the protection of personal data is related to the protection of privacy rights. This follows from the wording of article 6 of the PPD, indicating that the personal data concern identified or identifiable natural or legal person and that the identifiable is a person is one whose identity can be determined. From wording of that provisions the VAC concluded that personal data are data that identify a person’s identity. The VAC also relied on the content of recital 12 of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which emphasized the protection of all data relating to a person, and therefore also information about someones past.

(12) Whereas the protection principles must apply to all processing of personal data by any person whose activities are governed by Community law; whereas there should be excluded the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses

However, in recital 26 of the abovementioned Directive states that data protection rules must apply to any information concerning an identified or identifiable person. In order to determine whether a person is identifiable, all the means which can be used by the controller or any other person to identify a person, should be taken into the account. The rules of data protection do not apply to data rendered anonymously in such a way that a subject of the data can not be identified. The identification of a given person concerns also past information about a specific human being, by which information one can learn about such person’s identity. Accordingly, the VAC held that European law means the protection of personal data as the protection of all the facts concerning the past of a particular person, which corresponds with the content of article 6(2) of the PDP. So this means that such data would also be protected. Referring to the foregoing facts of Tomasz W. case, the VAC ruled that that nasza-klasa.pl website published his image and name. In the opinion of the court these are the personal data which are protected by the PPD, because on their basis one is able to identify given person.

Nasza Klasa sp. z o.o. filed a cassation complaint with the Supreme Administrative Court (SAC) challenging in entirety the judgment of the VAC. The Supreme Administrative Court in a judgment of 18 November 2009, case file I OSK 667/09, rejected the complaint. The SAC held that the primary issue arising in this case was whether a classmates’ picture that was taken thirty years ago, at which Tomasz W. is potrayed, in the circumstances of the case, can be analyzed to determine his identity without necessarily involving excessive resources or time, and therefore, whether the data disclosed in the photo in question, constitutes personal data within the meaning of article 6 of the PPD, and whether it should be protected.

The concept of “personal data” on the Polish law includes any information concerning an individual if it is possible to define its identity and its identification. Personal data is a set of messages about a particular person such integrated that it allows for its individualization. It includes at least information necessary for identification (name, surname, place of residence), but this is not restricted, because it also include further information, strengthening the degree of identification. Such information will also include pictures of the individual, even if they were taken in the past, allowing to identify a person. In a situation where such a photograph is presented with a name and surname of the person portrayed, in a place accessible to an unlimited number of entities, it must be considered that it constitutes personal data subject to protection under the PPD. Mainly, the objective evaluation criteria decides for the qualification of given information as personal data, but it also should comprise of all information, including extralinguistic (context), to which third party may have or has an access. A different approach to the presented issues would maginalize the importance of the laws and it would not relate to its designated function.

Thus it should be considered that the image of Tomasz W. portrayed at the photograph that was taken 30 years ago, affixed with the class, his name and surname, and then published at nasz-klasa.pl website constitutes personal data within the meaning of article 6(2) of the PPD, and the cassation complaint was not justified. The SAC also noted that the consent for the processing of personal data cannot be in any way implied.

The SAC also stressed the fact the Internet as a source of information is increasing on a unknown scale and importance. It provides an access to specific information to a vast number of persons and allows for any of its processing within the meaning of the PPD. At the same time there are not yet developed appropriate mechanisms for the protection of individual rights when those rights have been violated as a result of the disclosure of information on the Internet. Then, it is a great role of law enforcement bodies, including the Inspector General for Personal Data Protection in creating practice to comply with applicable laws also on the Internet. It is an unacceptablr situation in which the entity seeks to remove its image from a particular website, and the administration fails to take action to ensure the protection of civil rights. The image is one of the very personal property rights and lack of consent to its publication, if it is not a public person, is a sufficient reason to believe that regulations of the PPD apply, if the conditions set in the article 6(2) of the PPD have been met. There is a legal sequel to this story. See “Personal data protection, case II SA/Wa 1212/10“.

Personal data protection, case II SA/Wa 1085/04

February 11th, 2010, Tomasz Rychlicki

In July 2003, the Inspector General for Personal Data Protection (GIODO) received a complaint in which a natural person, known as W.K. (personal data of the parties are removed from Polish courts’ judgments), requested the GIODO to issue an order to the Polish Internet company to reveal personal data of persons, against which the applicant wanted to initiate legal proceedings. The complaint showed that the online forum operated by the Internet company hosted defamatory content posted by persons using only nicknames.

W.K. proved that he had requested the Company to disclose full IP addresses of computers from which persons using only nicknames have sent messages to the online forum. The applicant also pointed out that the Regional Prosecutor’s Office refused to determine the perpetrators of the alleged defamation. The refusal was also upheld by the District Prosecutor’s Office.

W.K. pointed out that he brought a private accusation based on article 212 § 1 of the Criminal Code – CRC – (in Polish: Kodeks Karny) of 6 June 1997, Journal of Laws (Dziennik Ustaw) No 88, item 553, with later amendments, to the Regional Court in K., against the persons who used given nicknames. The Court has issued an order in which it considered the private accusation legally ineffective because it included error in the form – i.e., no indication of names of defendants and their addresses, and W.K. did not clear these errors.

The GIODO has found that the purpose for which W.K. has applied for, i.e. the access to personal data, to assert his rights before the court, is legally justified. The use of these data by the applicant in the proceedings could not be considered as a violation of the rights and freedoms of persons whos personal data was collected because after the initiation of criminal or civil proceedings, personal data would be in a disposition the court.

The Company filed a complaint to the Voivodeship Administrative Court (VAC) in Warsaw. The Court in a judgment of 9 February 2005, case file II SA/Wa 1085/04, annulled the contested decision. The VAC held that the complaint was based on article 23(1) pt. 5 of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), Journal of Laws (Dziennik Ustaw) of 29 October 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with later amendments.

1. The processing of data is permitted only if:
5) processing is necessary for the purpose of the legitimate interests pursued by the controllers or data recipients, provided that the processing does not violate the rights and freedoms of the data subject.

The court did not accept that the wording of this provision can be interpreted as a rule requiring a data controller to reveal personal data at the request of the person whose requested data does not concern. The basis for such claims available for third parties for purposes other than inclusion in the data collection, was provided in the article 29(1) and (2) of the PPD. This provision being in force until 1 May 2004, did not give rise to demand release of the data, if the controller/administrator of the data were private sector.

The Court also held that the imposition of the duty of the data controller can only be done when the information being available to the controller falls into the category of personal data as defined in article 6(1) of the PPD.

personal data shall mean any information relating to an identified or identifiable natural person.

The requested information related to IP addresses of computers from which the messages were posted by certain people using certain nicknames. The Company argued that it does not require users of its forum to identify themselves in order to post information, what causes that, the IT administration system of the portal website hosting different forums, registers only IP address of computers of persons using the system, and it does not produce other data for identifying the user of a forum. Only a request to the operator of the telecommunication network could lead to the identification of the computer which was connected to the server hosting the portal and its forums. The Court cited English and Polish comentators and found that information, that without extraordinary and disproportionate effort can be “linked” with a specific person, especially by using readily and widely available sources, also deserve credit for their category of personal data. The identifiable person is defined in article 6(2) of the Polish Act of August 29, 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), Journal of Laws (Dziennik Ustaw) of October 29, 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of July 6, 2002, No. 101, item 926, with later amendments.

2. An identifiable person is the one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.
3. A piece of information shall not be regarded as identifying where the identification requires an unreasonable amount of time, cost and manpower.

Personal data protection, case II SA/Wa 297/09

October 21st, 2009, Tomasz Rychlicki

An individual had a telecommunications services agreement with a Company, but failed to comply with the payment and the Company has assigned the claim to another entity. The debtor requested by the assignee filed a complaint to the Inspector General for Personal Data Protection. It found that the operation of the company not been in conflict with the provisions of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with subsequent amendments. The debtor filed a complaint against this decision.

The Voivodeship Administrative Court in Warsaw in its judgment of 26 August 2009 case file II SA/Wa 297/09 held that the transfer of the debt is inseparably connected with the transfer of personal data of the debtor. Such situation is in accordance with the provisions of Article 509 § 2 of the Civil Code – CC – (in Polish: Kodeks Cywilny) of 23 April 1964, published in Journal of Laws (Dziennik Ustaw) No. 16, item 93, with subsequent amendments.

Article 509. § 1. The creditor may, without the debtor’s consent, transfer the receivable debt upon a third party (assignment) unless that would be at variance with statutory law, a contractual stipulation, or the nature of the obligation.
§ 2. Together with the receivable debt, the rights connected therewith shall pass to the acquirer, in particular, the claim for the interest in arrear.

All related rights together with the debt claim are transferred to the acquirer, and thus the right to dispose of the debtor’s personal information in order to implement the debt. The acquirer becomes autonomous possessor of the debtor’s personal data. The acquirer becomes the controller of personal data and processes personal information for its own account and risk. The acquirer enjoys the same rights and obligations relating to the processing of personal data as the previous controller.

Personal data protection, case I OSK 174/08

September 26th, 2009, Tomasz Rychlicki

The biggest Polish telecommunication company – Telekomunikacja Polska S.A. posted on its website an offer to sell its databases. This offer was addressed to research and telemarketing companies, BTL advertising agencies, insurance companies and banks. TP proposed a disclosure of private telephone numbers of its subscribers as part of the database. Through this service the company was preparing a database of phone numbers compatible with the order placed and then it passed the database on a CD for a client with a protocol of receipt. The phone numbers could be selected or sorted according to geographical criteria.

The Inspector General for Personal Data Protection ordered not to disclose of personal data of subscribers of Telekomunikacja Polska’s who are consumers within the meaning of Article 22¹ of the Civil Code – CC – (in Polish: Kodeks Cywilny) of 23 April 1964, published in Journal of Laws (Dziennik Ustaw) No. 16, item 93, with subsequent amendments, to third parties in the future.

Article 22¹
The consumer shall be deemed to be any natural person who performs acts in law which are not directly connected with his economic or professional activity.

The prohibition was not allowed without fulfilling one of the conditions of Article 23(1) of the Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), published in Journal of Laws (Dziennik Ustaw) of October 29, 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of July 6, 2002, No. 101, item 926, with subsequent amendments.

Article 23
1. The processing of data is permitted only if:
1) the data subject has given his/her consent, unless the processing consists in erasure of personal data,
2) processing is necessary for the purpose of exercise of rights and duties resulting from a legal provision,
3) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract,
4) processing is necessary for the performance of tasks provided for by law and carried out in the public interest,
5) processing is necessary for the purpose of the legitimate interests pursued by the controllers or data recipients, provided that the processing does not violate the rights and freedoms of the data subject.

The GIODO held that according to Article 159(1) of the Polish Act of 16 July 2000 on Telecommunications Law – TLA – (in Polish: Prawo telekomunikacyjne), published in Journal of Laws (Dziennik Ustaw) No 171, item 1800 with subsequent amendments, phone numbers are deemed as the telecommunications secrecy. Telekomunikacja Polska S.A. filed a complaint against this decision.

The Voivodeship Administrative Court in Warsaw in its judgment of 12 November 2007 case file II SA/Wa 1252/07 dismissed this case and TP S.A. decided to file a cassation complaint.

The Supreme Administrative Court in its judgment of 26 January 2009 case file I OSK 174/08 dismissed the cassation and held that Article 159(1) TLA provides for stronger data protection than the provisions of Article 23 of the PPD and therefore it will be used as a basis for legalizing the processing of telecommunications secrecy.