A lawyer representing one Polish entrepreneur, and as you already know personal data of the parties are removed from Polish courts’ judgments, requested the General Inspector for Personal Data Protection (GIODO) to issue an order to Home.pl company from Szczecin, to disclose personal data such as name, surname, the firm, address, office’s seat, phone number and e-mail address of a person, which had only published its caller id, and who registered a certain Internet domain name. The lawyer stated that his client is claiming the right to use the questioned domain name and the requested information is necessary for the initation of the arbitration proceedings before the Court of Conciliation at the the Polish Chamber of Information Technology and Telecommunications.
Home.pl refused to provide the abovementioned personal data, arguing that the parties of the legal relationship arising from the fact of the registration and maintenance of Internet domain names are the Research and Academic Computer Network (in Polish: Naukowa i Akademicka Sieć Komputerowa) – the national registry of the .pl domain, and the domain name subscriber.
The GIODO performed an investigation based on the administrative proceedings regulations. The GIODO did an inspection of the Company’s headquarters and found that Home.pl maintains a separate collection of data of subscribers who have registered their domain names in NASK through Home.pl services. NASK is the national domain name registrar, while Home.pl arranges for the registration and maintenance of Internet domain names. Home.pl represents an applicant for the domain name registration before NASK. A natural or legal person and Home.pl have to establish a legal relationship based on a registration contract in order to register the domain name in NASK. The legal relationship is based on registering and maintaining of the internet domain name. The GIODO found that in this case, the contested domain name was registered by a natural person.
In September 2006, the General Inspector for Personal Data Protection issued an administrative decision which ordered Home.pl to disclose personal data of the individual who registered the Internet domain name in question, the name, surname, address, phone number and e-mail address. Home.pl requested for a retrial of the case. The GIODO upheld the decision and Home.pl filed a complaint against it.
The Voivodeship Administrative Court (VAC) in Warsaw in its judgment of 30 Novmeber 2007 case file II SA/Wa 71/07 ruled that the complaint was based on Article 29(2) in connection with Article 22 of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), published in Journal of Laws (Dziennik Ustaw) of 29 October 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with subsequent amendments.
Article 29
1. In case of providing the access to the data for the purposes other than including into the data filing system, the controller shall disclose the data kept in the data filing system to persons or subjects authorised by the law.
2. Personal data, exclusive of data referred to in Article 27 paragraph 1, may also be disclosed, for the purposes other than including into the data filing system, to persons and subjects other than those referred to in paragraph 1 above, provided that such persons or subjects present reliably their reasons for being granted the access to the data and that granting such access will not violate the rights and freedoms of the data subjects.
3. Personal data are disclosed at written and justified requests, unless the provisions of another law state otherwise. Such requests should include information allowing for identification of the requested personal data within the filing system and indicating their scope and purpose.
4. Disclosed personal data shall be used only pursuant to the purpose for which they have been disclosed.
(…)
Article 22
The proceedings with respect to the matters regulated by this Act shall be conducted pursuant to the provisions of the Code of Administrative Procedure, unless other provisions of the law state otherwise.
According to the VAC, the provisions of Article 29(1) and (2) allow third parties to request the disclosure of personal data for purposes other than inclusion in the collection. It should be noted that these provisions being in force until 1 May 2004, gave no grounds to demand the disclosure if the controller was the private sector. This situation changed after the amendment of 22 January 2004. The Court noted that the request for disclosure of personal data may be filed by any person i.e. natural person, any organizational unit, both public and private. It is important that the possesion of personal data is necessary to achieve intended goals, and the request for personal data is credible and reasonable. Such request does not require a collector to disclosure personal data because it must assess whether the conditions have been met to provide such data according to provisions of Article 29 of the PPD.
1. In case of providing the access to the data for the purposes other than including into the data filing system, the controller shall disclose the data kept in the data filing system to persons or subjects authorised by the law.
2. Personal data, exclusive of data referred to in Article 27 paragraph 1, may also be disclosed, for the purposes other than including into the data filing system, to persons and subjects other than those referred to in paragraph 1 above, provided that such persons or subjects present reliably their reasons for being granted the access to the data and that granting such access will not violate the rights and freedoms of the data subjects.
3. Personal data are disclosed at written and justified requests, unless the provisions of another law state otherwise. Such requests should include information allowing for identification of the requested personal data within the filing system and indicating their scope and purpose.
4. Disclosed personal data shall be used only pursuant to the purpose for which they have been disclosed.
However, the VAC stressed that fact that collector’s discretion cannot mean its arbitrariness. In the case of the unfounded refusal to provide personal data according Article 29 (2) of the PPD, the General Inspector for Personal Data Protection shall have the right – in accordance with Article 18(1) pt. 2 of the PPD – to require the disclosure of personal data.
1. In case of any breach of the provisions on personal data protection, the Inspector General ex officio or upon a motion of a person concerned, by means of an administrative decision, shall order to restore the proper legal state, and in particular:
(…)
2) to complete, update, correct, disclose, or not to disclose personal data,
Undoubtedly, the request for the disclosure of personal data must be credible and legitimate. Thus, if such request is do not precluded by provisions of article 27 of the PPD, the collector must disclose such data.
1. The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, party or trade-union membership, as well as the processing of data concerning health, genetic code, addictions or sex life and data relating to convictions, decisions on penalty, fines and other decisions issued in court or administrative proceedings shall be prohibited.
2. Processing of the data referred to in paragraph 1 above shall not constitute a breach of the Act where:
1) the data subject has given his/her written consent, unless the processing consists in erasure of personal data,
2) the specific provisions of other statute provide for the processing of such data without the data subject’s consent and provide for adequate safeguards,
3) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his/her consent until the establishing of a guardian or a curator,
4) processing is necessary for the purposes of carrying out the statutory objectives of churches and other religious unions, associations, foundations, and other non-profitseeking organisations or institutions with a political, scientific, religious, philosophical, or trade-union aim and provided that the processing relates solely to the members of those organisations or institutions or to the persons who have a regular contact with them in connection with their activity and subject to providing appropriate safeguards of the processed data,
5) processing relates to the data necessary to pursue a legal claim,
6) processing is necessary for the purposes of carrying out the obligations of the controller with regard to employment of his/her employees and other persons, and the scope of processing is provided by the law,
7) processing is required for the purposes of preventive medicine, the provision of care or treatment, where the data are processed by a health professional subject involved in treatment, other health care services, or the management of health care services and subject to providing appropriate safeguards,
8) the processing relates to those data which were made publicly available by the data subject,
9) it is necessary to conduct scientific researches including preparations of a thesis required for graduating from university or receiving a degree; any results of scientific researches shall not be published in a way which allows identifying data subjects,
10) data processing is conducted by a party to exercise the rights and duties resulting from decisions issued in court or administrative proceedings.
The Court had to consider the question of whether the application met the conditions set in Article 29 of the PPD. The legal representative proved that, the disclosure of personal data of a person who registered the disputed domain because was necessary for the initation of the arbitration proceedings before the Court of Conciliation at the the Polish Chamber of Information Technology and Telecommunications. The Court noted that the arbitration proceedings are held in accordance with Article 1188 § 1 of the Civil Proceedings Code – CPC – (in Polish: Kodeks Postępowania Cywilnego) of 17 November 1964, published in Journal of Laws (Dziennik Ustaw) No 43, item 296, with subsequent amendments. The proceedings before the Court of Conciliation starts with the lodging of the statement of claim (the suit), which means that the suit should comply with the conditions laid down in Article 187 § 1 of the CPC. Under that provision, the statement of claim should meet the requirements of the pleading, and it also shall include: clearly defined demand in matters of property rights and the value of the claim, unless the case concerns the amount of money. The suit shall include all facts justifying the request and, if necessary, to justify the jurisdiction of the court. In accordance with Article 126 § 1 pt. 1 of the CPC, every pleading shall also contain, inter alia, the designation of the court to which it is addressed, the name or names of the parties, their legal representatives and/or agents. Therefore, the essential element of the claim for infringement of personal rights is to show the person against whom the request is addressed, i.e. the defendant in future proceedings for infringement of personal rights, and defendant’s address. The VAC found that the request in the Home.pl case was fully justified. The Court also confirmed that Home.pl is the controller within the meaning of Article 7(4) of the PPD, because according to the agreement with NASK, Home.pl decides on the purposes and means of the processing of personal data related to people who registered domain names. Thus, the party of the case was Home.pl, not NASK.
See also “Polish regulations on personal data protection“, “Polish case law on personal data protection” and “Polish case law on domain names“.