General information about personal data protection
Convention no. 108
Convention no. 108 of the Council of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data is the oldest worldwide legal act which comprehensively regulates the issues related to personal data protection.
The Convention imposed on Member States an obligation to develop legislation on personal data protection, indicating at the same time the direction to be followed by this legislation.
The purpose of this Convention is to secure in the territory of each Member State for every individual, whatever his nationality or resi¬dence, respect for his rights and fundamental freedoms, and in particu¬lar his right to privacy, with regard to automatic processing of personal data related to him. The Convention specified the minimum scope of these rights and the related obligations. The Convention entered into force as of 1 October 1985.
Directive 95/46/EC of the European Parliament and of the Council
Initially, the European Union did not see the need to regulate personal data protection in national, specific legal acts. The European Commission just postulated for the Convention no. 108 of the Council of 1982 to be ratified by the Member States.
However, with time discrepancies in legislations of particular EU Member States caused the need to harmonise them. The fundamental task to be fulfilled by this regulation was to ensure minimum and at the same time uniform for Member States level of protection of personal data collected in the filing systems and to ensure a free flow of personal data between Member States. The performance of the second task is an essential condition of ensuring, at next stage, a free flow of goods, services and persons between Community states, which each time involves the need to transfer personal data.
In 1990 works on relevant directive were started. They resulted in the issuance of Directive of the European Parliament and of the Council of 24 October 1995 (95/46/EC) on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The deadline for its implementation in the legal orders of Member States was set for 23 October 1998.
The Directive assumed a very broad understanding of the term of personal data and of data processing. It defined personal data as any information relating to an identified or identifiable natural person, and processing of personal data – as any operation or set of operations which is performed upon personal data (and enumerated these operations). It introduced a catalogue of minimum rights for persons whose data are collected. The violation of these rights would result in a possibility to pursue these rights before court. Admissibility of data processing was made dependent on the data subject’s will (consent). However, a closed catalogue of situations in which data processing is possible without such consent was specified. The Directive determines a group of so called sensitive data. In case of their processing a written consent is required. Also data relating to criminal convictions, which can be processed only by public entities, were handled separately in the Directive. Possible exemptions from the principle of ban on the processing of such data were specified. At the same time, pursuant to the Directive, data can be used exclusively for the purpose for which they were collected. The Directive introduced an obligation to inform persons about the principles of their data processing before the collection of these data. The person concerned can object to the processing of his/her data, provided that he or she has a legitimate purpose. Any person whose data were included in the filing system has the right to ask about the principles of data processing, starting with a possibility to obtain information on the controller, and ending with indication of the contents of these data. The Directive introduced as well the right for the data subject to control his/her data, including the right to object to the processing of data. Pursuant to the Directive, any person who has suffered damage as a result of an unlawful data processing incompatible with the Directive is entitled to receive compensation. One of the most important regulations introduced by the Directive is the issue of personal data transfer to third countries (such transfer is possible in case where the third country ensures an adequate level of protection).
Moreover, the Directive provided appointment of national supervisory authorities to supervise compliance with the Directive. A Working Party on the Protection of Individuals with regard to the Processing of Personal Data was set up under Art. 29 of the Directive. The Working Party shall be composed of the representatives of national supervisory authorities and representatives of the Community institutions and European Commission. It shall contribute to uniform application of the Directive in Member States and give opinions on EU legal acts on privacy protection for the purposes of the Commission. The Directive provided also appointment of an advisory committee composed of the representatives of Member States. The Committee shall draft and give opinions on new legal acts in the scope regulated by the Directive.
Other international acts
The issue of personal data protection is referred to also in many other international acts, but not as complex as the mentioned ones.
Constitution of the Republic of Poland
The new Constitution of 1997 was the first one to guarantee the protection of personal data in Poland. Its Art. 47 guaranteed citizens the right to privacy and Art. 51 guaranteed each person the right to the protection of his/her information.
However, international obligations of Poland related to the EU accession resulted in the need to ensure personal data such protection as the one guaranteed by the EU Member States on their territories. All European acts were based on or adjusted to the Directive 95/46/EC of the European Parliament and of the Council.
Act on Personal Data Protection
The principles of personal data protection established in the Directive 95/46/EC were implemented into the Polish legal order by the Act of 29 August 1997 on the Protection of Personal Data (unified text: Journal of Laws of 2002 No. 101, item 926 with amendments). The Act on Personal Data Protection introduced detailed rules on personal data protection in Poland, and up to 1 May 2004, i.e. up to Poland’s accession to the European Union, included in the Polish legal order all principles specified in the Directive 95/46/EC of the European Parliament and of the Council. The provisions of the Act have been in force since 30 April 1998.
Implementation of the provisions on personal data protection into the Polish legal system allowed Poland to sign in April 1999 and to ratify in May 2002 the Convention No. 108 of the Council of Europe. Those activities reflected increasing democratisation of public life in Poland as well as concern for the protection of privacy of its every citizen.
The Act on Personal Data Protection determined a legal framework of personal data handling, as well as the principles to be used in the processing of personal data. It also specified the rights and obligations of authorities, institutions and persons keeping personal data filing systems, as well as the right of the data subjects, so as to guarantee maximum protection of the rights and freedoms to each natural person and respect for his/her private life.
The Act on Personal Data Protection while realising the requirements of the Community specified the constitutional right to decide on the fact to whom, in what scope and for what purpose we give our personal data, and gave statutory guarantees of compliance with this right by providing the data subjects with measures used for exercise of this right and competent authorities and services – with the legal remedies which guarantee compliance with this right. The main premise of the Act is granting every individual the right to have his/her data protected.
The Act determines the principles to be used in personal data processing, specifies the rights and obligations of authorities, institutions and persons keeping personal data filing systems as well as the rights of the data subjects so as to guarantee maximum protection of the rights and freedoms of each natural person and respect for his/her private life. The subjects possessing personal data are obliged to protect data against their unauthorised disclosure, takeover by an unauthorised person, processing with the violation of the Act, any change, loss, damage or destruction, that is to organise data handling in such a way and use such technical measures so as to ensure protection appropriate to the risks and category of data being used. The obligations related to the protection of data are specified in chapter 5 of the Act and in the Regulation by the Minister of Internal Affairs and Administration of 29 April 2004 as regards personal data processing documentation and technical and organisational conditions which should be fulfilled by devices and computer systems used for the personal data processing. The Act very precisely specifies the principles of disclosing data. Disclosure of personal data (except for the data subjected to special protection) for the purpose of inclusion into the filing system is possible after fulfilment of one of the conditions stipulated in Art. 23 paragraph 1 of the Act. One of these conditions, though not the only one, is the data subject’s consent. Data can be also used in case where it is necessary for the purpose of exercise of rights and duties resulting from a legal provision, it is necessary for the performance of a contract to which the data subject is a party, for public interest, as well as where it is necessary for the purpose of the legitimate interests pursued by the controllers. Whereby it is important that it is enough to fulfil one of the above mentioned conditions in order for the data to be disclosed. Whereas, in case where one person applies for disclosure of data, such situation is recognised by the Act as “providing access to the data for the purposes other than including into the data filing system” - Art. 29 of the Act shall apply, pursuant to which it is necessary to file a written and justified request in this case. In justification a person or subject applying for data must indicate a legal provision which authorises it to possess these data, or prove the need to possess them, whereby disclosure of data cannot in such case violate the rights and freedoms of the data subjects. The Act treated the following data in a special way: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, party or trade-union membership, health records, genetic code, addictions or sexual life, data relating to convictions, decisions on penalty, fines and other decisions issued in court or administrative proceedings. The processing of such data is prohibited, unless one of the situations mentioned in Art. 27 paragraph 2 of the Act occurs. In case where one person applies for data, that is for the purpose other than inclusion into the filing system, the data can be disclosed only in case where the applicant is authorised by legal provisions. If there are no such provisions, it is not possible to disclose sensitive data, even if the applicant completely proved the need to possess them. Since 1 May 2004, that is since the day of Poland’s accession to the European Union, the transfer of data between Poland and European Union Member States is subject to the same principles as in the territory of Poland, whereas the principles on data transfer outside the territory of the European Economic Area is regulated in chapter 7 of the Act on Personal Data Protection, pursuant to which the transfer of personal data to a third country may take place only, if the country of destination ensures at least the same level of personal data protection in its territory as that in force in the territory of the Republic of Poland, but also in other special situations enumerated in Art. 47 paragraph 2 and 3 of the Act on Personal Data Protection. If none of the special situations occurs, the data can be transferred to a third country subject to a prior consent of the Inspector General, provided that the controller ensures adequate safeguards with respect to the protection of privacy, rights and freedoms of the data subject.
Inspector General for Personal Data Protection
Directive 95/46/EC provided appointment of national supervisory authorities to monitor compliance with this Directive.
The Polish Act on Personal Data Protection introduced an institution of the Inspector General for Personal Data Protection as the one competent in the issues concerning personal data protection.
Amendment to the Act
On 1 May 2004, that is on the day of Poland’s accession to the European Union, the provisions of the Act of January 22, 2004 on the Amendment of the Act on the Protection of Personal Data and the Act on Remuneration of Persons Holding State Managerial Posts (Journal of Laws No. 33, item 285) entered into force. The above mentioned Act introduced numerous amendments into provisions of the Act on the Protection of Personal Data. Adoption of this Act was supposed to fully implement into the Polish legal order the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The amended provisions comply with the remarks made by the European Commission pertaining to the correctness of implementation of the Directive 95/46/EC.
The amendment was first of all aimed at the need to adjust the provisions of the Act to the requirements of the Community relating to the accession to the European Union.
As a result of entry into force of these provisions the existing regulations as regards the objective scope of the Act on Personal Data Protection were changed. The information processed in computer systems, even in case where they are located outside the data filing system, was subjected to protection. Whereas, the change of the subjective scope of the Act was of fundamental importance from the point of view of the principle of uniform protection of personal data within common European market, stipulated in Art. 4 paragraph 1 of the Directive. Pursuant to this principle: in cases related to personal data protection the law of the country where the controller is processing personal data in connection with the conducted activity shall apply. The change made caused that the entities which belong to the European Economic Area are obliged to apply the provisions of the Polish Act on Personal Data Protection only in case where they undertake in the territory of the Republic of Poland business activity which is regulated in the Polish law.
The Act shall also not apply to the subjects having the seat or residing in the territory of the Republic of Poland or in a third country, if they are involved in the processing of personal data by means of technical devices located in the territory of the Republic of Poland, but only in case of transfer of data. The Act shall also not apply to press journalistic activity and literary and artistic activity, unless the freedom of expression and information dissemination considerably violates the rights and freedoms of the data subject.
Definitions contained in the Act were changed. First of all, the scope of the term “data controller” was extended. A definition of “data recipient” was introduced and at the same time specific subjects were excluded from its scope, which is of crucial importance in the context of exercising by the data subject the right to control the processing of data. The notion of “third country” was introduced as well which shall mean a country which does not belong to the European Economic Area. This caused, in the context of the remaining provisions of the Act, that the transfer of data in the territory of the European Economic Area, i.e., European Union countries and countries which are not EU Member States, but belong to the this area, e.g. Norway, Iceland, Lichtenstein, was treated as the transfer of data within the territory of Poland. The new provisions introduced the obligation for the data controller having the seat or residing in a third country to appoint its representative in the Republic of Poland. Free flow of data within the European Economic Area is a necessary condition of Poland’s membership in EU structures.
The provisions regarding transborder data flow were changed completely. The change of the provisions in this respect is a result of free flow of data to the countries belonging to the European Economic Area. The provision regulating the expression of consent by the Inspector General to the transfer of data to a third country was changed. According to its current wording in order to obtain such consent the controller has to ensure adequate safeguards with respect to the protection of privacy, rights and freedoms of the data subject.
As a result of amendment the wording of the provisions specifying the prerequisites legalising the processing of personal data was modified. The principles of fulfilment of the information obligation were changed as well. Instead of the previously provided information on the right to consult the data the data controllers were obliged to inform about the right of access to personal data. The provisions on exemption from fulfilment of the information obligation were repealed in case of the controllers of data commonly available or collected for the purpose of use, as well as in the situation where the data are processed on the basis of the legal provisions.
As regards the rights of the data subjects they were extended by granting them the right to obtain information on the prerequisites of making automatic decisions. The provisions on safeguarding data were also subjected to a complex change. Among the law enforcement provisions also the Regulation regulating the issues related to safeguarding the data processed in computer systems was repealed and replaced by new provisions. The introduced changes gave the data controllers significant leeway in the choice of measures used for safeguarding the processed data. Fundamental changes were introduced in the chapter devoted to the registration of data filing systems. The scope of information contained in the notification of data filing systems to registration was extended by introducing the information on the data controller’s representative and description of categories of the data subjects. The institution of prior checking of the processing of data subjected to special protection was introduced. Pursuant to the amended provisions the processing of such data can be initiated only after the registration of the data filing system, and not after notification of the filing system to registration – as it was done previously.
As a result of introduction of the above mentioned changes the provisions of the Act on Personal Data Protection were fully adapted to the European law.
The causes of amendment of part of the provisions of the Act on Personal Data Protection in 2004 were difficulties with their application in practice.
This group includes first of all the provisions which specify the Inspector General’s competencies in conducting inspections and making decisions. As a result of the changes the scope of powers of the inspectors of the Inspector General was extended and they were entitled to issue administrative decisions ordering to restore the proper legal state not only, as previously, in relation to data controllers, but also to other subjects processing data. Whereas, the Inspector General was granted additional supervisory powers which entitle it to issue decisions on striking off a data filing system in the register kept by this authority.
Also the provisions regulating the issues related to registration of a data filing system were modified. The scope of information available in the open register kept by the Inspector General was limited, and the scope of subjects to which the certificate of registration of data filing system is issued was changed. Only in case of data controllers using data subjected to special protection such certificate is issued ex officio, immediately after the registration of the filing system. In case of the controllers of other data such certificate is issued at their request. Also the method of updating the data included in the notification was changed. Currently, the same mode as the one applied in the registration of the filing system shall be used for update of the notification.
The amendment of the Act on Personal Data Protection introduced also a legal possibility to appoint a Deputy Inspector General for Personal Data Protection.
As of the day of entry into force of the provisions of the Act on the Amendment of the Act on the Protection of Personal Data and the Act on Remuneration of Persons Holding State Managerial Posts the law enforcement provisions were repealed and in consequence ceased to bind as well.
The amended provisions contained new authorisation for the Minister of Internal Affairs and Administration to issue proper law enforcement provisions. In consequence, three new regulations were issued:
- Regulation of 22 April 2004 as regards specimen of personal authorisations and service identity cards of the inspectors employed in the Bureau of the Inspector General for Personal Data Protection (Journal of Laws No. 94, item 923),
- Regulation of 29 April 2004 as regards personal data processing documentation and technical and organisational conditions which should be fulfilled by devices and computer systems used for the personal data processing (Journal of Laws No. 100, item 1024),
- Regulation of 29 April 2004 as regards specimen for a notification of a data filing system to registration by the Inspector General for Personal Data Protection (Journal of Laws No. 100, item 1025).