Archive for: Art. 26 PPD

Personal data protection, case I OSK 633/08

March 11th, 2010, Tomasz Rychlicki

The Supreme Administrative Court in its judgment of 3 July 2009 case file I OSK 633/08 held that the processing/storage/retention of personal data in backup copies of bank’s IT system is nothing but the processing of these data, and such processing is possible only in all cases defined by the provisions of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with subsequent amendments. In case, where the credit agreement was not concluded, the processing of personal data in backup copies has no justification in the provisions of the PPD and there is no such situation as referred in Article 26 of the PPD.

Article 26
1. The controller performing the processing of data should protect the interests of data subjects with due care, and in particular to ensure that:
1) the data are processed lawfully,
2) the data are collected for specified and legitimate purposes and no further processed in a way incompatible with the intended purposes, subject to the provisions of paragraph 2 below,
3) the data are relevant and adequate to the purposes for which they are processed,
4) the data are kept in a form which permits identification of the data subjects no longer than it is necessary for the purposes for which they are processed.
2. The processing of data, for the purpose other than intended at the time of data collection is allowed provided that it does not violate the rights and freedoms of the data subject and is done:
1) for the purposes of scientific, didactic, historical or statistical research,
2) subject to the provisions of Article 23 and Article 25.

The SAC also ruled that such processing is also not justified by the provisions of the Act on Banks Law.

See also “Polish regulations on personal data protection” and “Polish case law on personal data protection“.

Personal data protection, case I OSK 174/08

September 26th, 2009, Tomasz Rychlicki

The biggest Polish telecommunication company – Telekomunikacja Polska S.A. posted on its website an offer to sell its databases. This offer was addressed to research and telemarketing companies, BTL advertising agencies, insurance companies and banks. TP proposed a disclosure of private telephone numbers of its subscribers as part of the database. Through this service the company was preparing a database of phone numbers compatible with the order placed and then it passed the database on a CD for a client with a protocol of receipt. The phone numbers could be selected or sorted according to geographical criteria.

The Inspector General for Personal Data Protection ordered not to disclose of personal data of subscribers of Telekomunikacja Polska’s who are consumers within the meaning of Article 221 of the Civil Code – CC – (in Polish: Kodeks Cywilny) of 23 April 1964, published in Journal of Laws (Dziennik Ustaw) No. 16, item 93, with subsequent amendments, to third parties in the future.

Article 221
The consumer shall be deemed to be any natural person who performs acts in law which are not directly connected with his economic or professional activity.

The prohibition was not allowed without fulfilling one of the conditions of Article 23(1) of the Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), published in Journal of Laws (Dziennik Ustaw) of October 29, 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of July 6, 2002, No. 101, item 926, with subsequent amendments.

Article 23
1. The processing of data is permitted only if:
1) the data subject has given his/her consent, unless the processing consists in erasure of personal data,
2) processing is necessary for the purpose of exercise of rights and duties resulting from a legal provision,
3) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract,
4) processing is necessary for the performance of tasks provided for by law and carried out in the public interest,
5) processing is necessary for the purpose of the legitimate interests pursued by the controllers or data recipients, provided that the processing does not violate the rights and freedoms of the data subject.

The GIODO held that according to Article 159(1) of the Polish Act of 16 July 2000 on Telecommunications Law – TLA – (in Polish: Prawo telekomunikacyjne), published in Journal of Laws (Dziennik Ustaw) No 171, item 1800 with subsequent amendments, phone numbers are deemed as the telecommunications secrecy. Telekomunikacja Polska S.A. filed a complaint against this decision.

The Voivodeship Administrative Court in Warsaw in its judgment of 12 November 2007 case file II SA/Wa 1252/07 dismissed this case and TP S.A. decided to file a cassation complaint.

The Supreme Administrative Court in its judgment of 26 January 2009 case file I OSK 174/08 dismissed the cassation and held that Article 159(1) TLA provides for stronger data protection than the provisions of Article 23 of the PPD and therefore it will be used as a basis for legalizing the processing of telecommunications secrecy.

See also “Polish regulations on personal data protection” and “Polish case law on personal data protection“.