Of the Inspector General for the Protection of Personal Data

Activity report

of the Inspector General for the Protection of Personal Data

for the year 2003

This report constitutes an exercise of Art. 20 of the Act of 29 August 1997 on the Protection of Personal Data (unified test: Journal of Laws of 2002 No. 101, item 926 with amendments), pursuant to which once a year the Inspector General for the Protection of Personal Data shall submit to the Diet a report on his/her activities including conclusions with respect to observance of the provisions on personal data protection[1].

Table of Contents

Activity reportof the Inspector General for the Protection of Personal Datafor the year 2003

A.Introduction

1. Legal grounds of the activity of the Inspector General for the Protection of Personal Data

2. Amendment of the Act on the Protection of Personal Data

B. Organisation of the Bureau of the Inspector General for the Protection of Personal Data

1 Statutory organisational units of the Bureau of the Inspector General for the Protection of Personal Data

2. Budget of the Inspector General for the Protection of Personal Data

3. Number of staff

C. General characteristics of the activity of the Inspector General for the Protection of Personal Data

1. The scope of duties of the Inspector General for the Protection of Personal Data

2. Questions concerning interpretation of provisions

3. Expressing opinions on legal acts

5. International cooperation

6. Complaints

7. Inspections

8. Registration

9. The information activity of the Inspector General for the Protection of Personal Data

A.Introduction

1. Legal grounds of the activity of the Inspector General for the Protection of Personal Data

The Act of 29 August 1997 on the Protection of Personal Data (unified text: Journal of Laws of 2002 No. 101, item 926 with amendments), hereinafter referred to as the Act, which has been in force since 30 April 1998, constitutes a legal ground of the activity of the Inspector General for the Protection of Personal Data. This Act was passed in order to fulfil the obligation – expressed in Art. 51 of the Constitution of the Republic of Poland - to regulate the principles and mode of collection of and access to information on citizens.

The Act determines general principles of personal data processing, which shall be observed by all the subjects processing personal data[2], and the rights of natural persons whose personal data is or can be processed as a part of a data filing system[3]. The Act introduces also the scope of rights of the Inspector General for the Protection of Personal Data[4], in particular the right to widely understood supervision over ensuring the compliance of data processing with the provisions on the protection of personal data.

Pursuant to the Act on the Protection of Personal Data two enforcement provisions were promulgated: Regulation of June 3, 1998 by the Minister of Internal Affairs and Administration as regards establishing basic technical and organisational conditions which should be fulfilled by devices and computer systems used for the personal data processing (Journal of Laws No. 80, item 521 with amendments)[5] and Regulation of June 3, 1998 by the Minister of Internal Affairs and Administration as regards specimen application for disclosure of personal data, notification of a data filing system to registration and personal authorisation and service identity card of the inspector employed in the Bureau of the Inspector General for the Protection of Personal Data (Journal of Laws No. 80, item 522 with amendments)[6].

The Inspector General fulfils his/her duties with assistance of the Bureau of the Inspector General for the Protection of Personal Data, the organisation and principles of activity of which are determined in the statutes which is an enclosure to the Regulation of 29 May 1998 by the President of the Republic of Poland as regards granting the statutes to the Bureau of the Inspector General for the Protection of Personal Data (Journal of Laws No. 73, item 464 with amendments)[7].

2. Amendment of the Act on the Protection of Personal Data

In 2003 works on the amendment of the Act on the Protection of Personal Data were undertaken.

The activities aimed at amending the provisions resulted from the need to fully adapt the Act to the requirements of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, hereinafter referred to as the Directive, as well as from the need to modify some imperfect provisions.[8]. And, although the legislative process has not been completed in the discussed period, due to involvement in the works on the amendment of the Act it is justified to refer to this subject in the report documenting the activity of the Inspector General for the year 2003[9].

The most important amendments introduced as a result of the amendment of the Act on Personal Data Protection, adapting its provisions to the Directive, include:

1)determining in a doubtless way, what is the objective scope of application of the Act – the Act shall apply to the processing of personal data in traditional filing systems (files, indexes, books, lists and other registers), and in case of computer system also to individual data processed outside from a data filing system,

2)precise determining a circle of subjects processing personal data which are obliged to apply the provisions of the Act on Personal Data Protection. The Act in its so far wording applied inter alia to controllers who neither had the seat nor resided in the territory of the Republic of Poland, but processed data by means of devices located in Poland. Such wording of the provision resulted in a situation where the processing of data by the controller having its seat in one of the countries of the European Union or European Economic Area was regulated by two acts – the act of the country of origin of data controller and the Polish act. This state of affairs was incompatible with the idea of uniform data protection in member states, whereby it is the protection by the law of the country in which the controller has the seat or is residing;

3)limiting the subjective scope of application of the Act by excluding from its requirements the subjects having the seat or residing in a third country, using technical devices located in the territory of the Republic of Poland for data transfer only;

4)limiting the application of the provisions of the Act, if the processing is related to press journalistic activity, literary or artistic activity, except for situations where the freedom of expression and information dissemination considerably violates the rights and freedoms of the data subject;

5)introducing definitions of the terms: data recipient and third country;

6)modifying the contents of the provision determining the conditions of legitimate data processing (i.e. Art. 23 paragraph 1 point 2, 3 and 5) in order to adapt its wording to the wording of parallel provisions in the Directive ;

7) modifying the contents of the informational obligation realised by data controllers collecting data both from the data subject and indirect sources, by obliging them to inform the data subjects about the right of access to the contents of data, in place of the so far right to consult the data;

8)modifying the provisions on realisation by data controller of the informational obligation, in case of collecting data from indirect sources, i.e. not from the data subject, by abolishing the provisions which exempt the data controller from the informational obligation in case of collecting publicly available data and data processed for the purpose of single use;

9)introducing the obligation for data controllers having the seat or residing in a third country who process data in the territory of the Republic of Poland to appoint their representative in the Republic of Poland;

10)extending the rights of the data subject to obtain also the information on the conditions of making automatic decisions;

11)extending the scope of information contained in the notification of personal data filing system to registration, by introducing a requirement to describe the categories of data subjects;

12)introducing so called prior check of data processing accuracy, according to which the controllers of sensitive data, referred to in Art. 27 paragraph 1 of the Act, may start their processing in a data filing system only after having registered the filing system, unless the controller is exempted from the obligation to notify a filing system to registration by virtue of the Act;

13)ensuring free flow of data to member states of the European Union and EEA states not belonging to the Union by assuming that the conditions of legitimate data processing referred to in Chapter 7 of the Act will apply only in case of transfer of data to third countries, i.e. countries not belonging to EEA;

14)adopting – following the Directive – the condition for the data controller to ensure adequate safeguards with respect to the protection of privacy, rights and freedoms of the data subject, determining giving the consent by the Inspector General for data transfer to a third country.

Moreover, as a result of the amendment:

1)the scope of rights of inspectors in the course of an inspection was extended by granting them the right to make copies of documents and any data directly related to the subject of inspection;

2)the Inspector General was entitled to issue, in case of any breach of the provisions on personal data protection, decisions ordering to restore the proper legal state not only in relation to the subject being data controller, but also to all subjects processing personal data;

3)the possibility of disclosing data on the ground of Art. 29 of the Act ceased to be limited only to controllers from public sector;

4)the subjects to whom data controllers entrusted their processing pursuant to Art. 31 of the Act were covered with the control conducted by the Inspector General;

5)the obligations with regard to safeguarding personal data were precisely determined;

6)the scope of information available in the open register of personal data filing systems run by the Inspector General was limited;

7)the issue related to the procedure of notifying the changes to information included in the notification of data filing system to registration was regulated;

8)circle of subjects entitled to receive certificate on registration of the notified filing system was limited to data controller exclusively and only to filing systems notified by the controller;

9)obligation for the Inspector General was introduced to issue ex officio certificate of registration of data filing system immediately after the registration of the filing system subjected to the so called prior check;

10)the conditions exempting the data controller from the obligation to notify the data to registration were specified more precisely;

11)striking off an entry in the register of the data filing systems in case where the data are no longer processed in the registered filing system or the registration has been made with the violation of the law was provided for.

The amendment also established grounds for appointing the Deputy Inspector General for the Protection of Personal Data. On one hand, it was dictated by significant growth of the number of cased handled by the Inspector General, on the other one – by essential participation of a high enough rank representative of an independent data protection authority in many international undertakings. Regular, few-days long meetings of the Art. 29 Working Party, during which the data protection commissioners from member and candidate states discuss current problems related to data protection and develop solutions of practical problems, may serve as an example.

B.Organisation of the Bureau of the Inspector General for the Protection of Personal Data

1. Statutory organisational units of the Bureau of the Inspector General for the Protection of Personal Data

Pursuant to the Regulation by the President of the Republic of Poland as regards granting the statutes to the Bureau of the Inspector General for Personal Data Protection, statutory organisational units of the Bureau include:

1)the Organisational and Administrative Department

2)the Legal Department

3)the Complaints Department

4)the Inspection Department

5)the Personal Data Files Registration Department

6)the IT Department

7)the Finance Department

8)the Protection Division

9)the Personnel Affairs Officer

10)the Press Team

1. Budget of the Inspector General for the Protection of Personal Data

In the Budgetary Act 2003 the budget of the Inspector General for the Protection of Personal Data was determined on the side of expenses for the amount of PLN 9,946,000, including:

-remunerations PLN 6,378,000

-expenses for assetsPLN 200,000

-other expensesPLN 3,368,000

The expenses realised by the Inspector General in 2003 amounted to PLN 9,697,000, i.e. 97.5 % of the planned amount, including:

-remunerationsPLN 6,288,700 (98,6 %)

-expenses for assetsPLN 190,600 (95,3 %)

-other expensesPLN 3,218,300 (95,6 %)

In its post-control announcement provided to the Inspector General the Supreme Control Chamber positively evaluated the budget execution for the year 2003.

3. Number of staff

The number of posts held in the Bureau of the Inspector General for the Protection of Personal Data amounted to 111.7 on 31 December 2003.

Among all the employees of the Bureau, 91 persons were employed as professional staff, whereas 26 as auxiliary staff.

The presented assessment does not include the Inspector General.

C.General characteristics of the activity of the Inspector General for the Protection of Personal Data

1. The scope of duties of the Inspector General for the Protection of Personal Data

The Act on the Protection of Personal Data determines the principles of legitimate personal data processing and the rights of natural persons whose personal data is or can be processed as a part of a data filing system[10]. The provisions determining the rights of the data subjects would, however, be „dead” provisions, if the legislator simultaneously did not impose strictly defined obligations in this regard on data controllers. The exercise of rights and due fulfilment of the obligations by data controllers cannot be left without control of an independent data protection authority, that is the Inspector General for the Protection of Personal Data. The duties of the Inspector General were specified in Art. 12 of the Act and include in particular:

1) supervision over ensuring the compliance of data processing with the provisions on the protection of personal data,

2)issuing administrative decisions and considering complaints with respect to the enforcement of the provisions on the protection of personal data,

3)keeping the register of data filing systems and providing information on the registered data files,

4)issuing opinions on bills and regulations with respect to the protection of personal data,

5)initiating and undertaking activities to improve the protection of personal data,

6)participating in the work of international organisations and institutions involved in personal data protection.

Thus, having the right to issue administrative decisions the Inspector General is an authority not only with control, but also with imperative rights. The scope of his/her competencies is, however, limited to cases closely related to personal data protection. Therefore, not in every case addressed to the Inspector General by the data subject activities can be undertaken by the authority. To give an example it needs to be indicated that the supervision over ensuring the compliance of personal data processing with the law by the court, which is one of quite frequent subjects of citizens’ complaints, does not include the justification of evidence adduced in cases, because it could violate the constitutional principle of independence of judges.

Handling complaints in cases related to exercise of the provisions on personal data protection and issuing administrative decisions after having established all the important circumstances of the case belongs to the main duties of the personal data protection authority. For the protection is most effective when the Inspector General upon revealing – also in the course of post-control proceedings – the violation of the provisions of the Act orders, by means of an administrative decision, the data controller to restore the proper legal state.

In 2003 personal data protection authority issued 522 administrative decisions, including 55 after having considered applications for reconsidering the case, and drew up replies to 30 complaints addressed by parties to the Supreme Administrative Court.

Breakdown of the number of decisions issued by the Inspector General for the Protection of Personal Data within the last three years.

Breakdown of the number of applications for reconsidering the case by the Inspector General and replies to complaints addressed to the Supreme Administrative Court in 2003.

The judicial decisions of the Supreme Administrative Court also play a crucial role as regards appropriate understanding and application of the provisions of the Act and the effectiveness of the protection granted by the Act. In cases settled by decisions of the Inspector General which were appealed against in the Supreme Administrative Court, in 2003 the Court dismissed complaints in 15 instances, rejected complaints in 2 instances, dismissed a request for stay of execution of a decision of the Inspector General in 1 instance, accepted complaints in 6 cases, and stated nullity of decision in 1 instance.

Judicial decisions of the Supreme Administrative Court issued in 2003 in cases conducted by the Inspector General for the Protection of Personal Data

Considering the need for permanent improvement of personal data protection, the Inspector General addressed to subjects from both public and private sector 111 general approaches indicating the necessity to adapt the practice of these subjects to the binding provisions on personal data protection. Indicating the proper way of application of the Act to subjects governed by the Act prevents violations of legal provisions and contributes to enhancing the level of personal data protection in Poland. It needs to be noted that lack of coherence in the legal system – which was also signalled – and omitting the Inspector General or not taking into account the Inspector General’s opinions in the course of preparation of draft legal acts provokes irregularities in the course of personal data processing.