Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Poland's new legislation [1998] PLBIRp 5; (1998) 44 Privacy Laws and Business International Report 5

Poland legislates on data protection to pave its way for EU Membership

A report by Nick Platten

A RECENT ADDITION TO THE LIST of European countries with data protection legislation in place is Poland, where on 30th April this year the Data Protection Act came into force. Prior to this, on 4 April, Ms Eva Kulesza had been appointed as ‘General Inspector’ (the equivalent of a Data Protection Commissioner) under the Act.

The General Inspector is expected to become fully operational over the summer months. In the meantime, the new law is attracting a great deal of attention in business circles, and a number of conferences and sympo- siums have already taken place as companies seek to understand their selves, and everyone has a right to request rectification or deletion of inaccurate or incomplete data, or data collected illegally. The constitution also states that the principles and modalities for the collection and com- munication of information shall be defined in law. adoption of a general data protection law is seen in Poland as part of the wider process of aligning its laws with those of the European Union. Poland submitted a formal application for EU membership in April 1994. It is one of the six applicant countries with whom negotiations leading to eventu-

new legal obligations in respect of the personal data they process. al accession have already begun, the others being Hungary, Slovenia, the

The first step towards this latest addition to the body of European data protection law was taken early last year when a new constitution was adopted in Poland. The constitution, which entered into force on 16th October 1997, includes a guarantee that “everyone has the right to legal protection of his privacy and family life” (Article 47). Also the secrecy of communications is guaranteed, subject to limitations set down in law

(Article 49). The Constitution con- tains a number of specific data protection rights (Article 51): citizens are not obliged to divulge informa- tion about themselves except by law, and the public authorities cannot collect, conserve or communicate information on citizens other than that which is necessary in a democrat- ic state. Furthermore, everyone is guaranteed a right of access to official documents and files about them-

The Polish law sets out both obligations on organisations that collect and process data, and rights for individuals.

This constitutional requirement to define the principles and modalities for the collection and communication of information led to the adoption of the Act of 29th August 1997 on the Protection of Personal Data.

PRIVACY LAW HAS PRACTICAL AND SYMBOLIC IMPORTANCE

As in many of the countries of

Eastern and Central Europe, the

Czech Republic, Estonia and Malta. Membership of the EU is a realistic prospect early in the next century. Irrespective of the accession process, however, for a former member of the Communist Soviet bloc such as Poland, the adoption of data protec- tion law based on the fundamental human right to privacy has its own symbolic importance, and is a seen as a further step in bolstering the country’s democratic and human rights credentials. It is understood that the ratification of the Council of Europe Convention no. 108 is now likely, although at the time of writing no such ratification had taken place.

LAW APPLIES ALSO TO MANUAL DATA

The Polish law follows the classical formula of a general law of horizontal application, which sets out both obli- gations on organisations that collect and process data, and rights for indi- viduals which apply equally to all data processing in the private or public sectors. A central concept is the ‘filing system’ (a structured set of personal data accessible according to specific criteria), a concept which is used to define the limits of the law’s scope. Any personal information, computerised or manually-held, is covered by the Act, provided it is held within a filing system.1 In terms of its geographic scope, the law applies to any processing carried out by way of technical devices located on Polish territory. As with many Interestingly, and perhaps worrying- ly from a privacy perspective, the General Inspector is deprived of any complaint-handling and investigative powers in respect of any data files which are exempt from registration. This is an approach which is clearly at odds with the requirements of the EU Directive. The directive decouples registration (notification) from the enforcement powers of the superviso- ry authority, and explicitly requires that the basic requirements of data protection be applicable to all data controllers, whether exempt from registration or not. or from a third party, and specific provisions on sensitive data.

Additional provisions are includ- ed setting out rules which deal with the disclosure of data, as is a rather curious article (Article 30) which sets out the conditions under which a data controller can refuse to disclose data to, for example, state authorities. This provision would seem to reverse the customary assumption that such disclosures are prohibited unless explicitly permitted.

The provisions regarding the data controller’s obligations to protect the security of personal data are found in

national laws and the EU Data

Protection Directive, data processing Chapter 5 of the Act. One slightly strange feature is that although the

for purely personal or domestic pur- poses is not covered by the Act.

INDEPENDENT AUTHORITY HAS INVESTIGATIVE POWERS

The Act establishes a ‘General Inspector’ who has all the characteris- tics and powers of the conventional data protection authorities known throughout Europe. The Inspector is independent of government, and capable of dismissal only in limited circumstances and with the agreement of both chambers of the Polish parlia- ment. Her basic duties are to ensure compliance with the Act, issue administrative decisions and consider complaints from individuals, promote more effective data protection, and participate in the work of internation- al organisations. She is equipped with appropriate investigative powers, and where a breach of the law is revealed, she may take a variety of administra- tive actions to remedy the situation. She will notify criminal offences under the Act (of which there are a number including fines and prison sentences) to the prosecuting authori- ties. The possibility for individuals to obtain a civil remedy for damages caused by breaches of the Act is not explicitly mentioned in the law.

The Inspector is also responsible for maintaining a register of filing systems. The Act includes a general duty to register, but this is accompa- nied by a series of rather broad exemptions from this duty.

The Polish data protection act is a comprehensive and well-structured law which has clearly been modeled quite closely on the EU directive.

THE CUSTOMARY COCKTAIL OF RIGHTS AND OBLIGATIONS

Those with a knowledge of the EU Directive or even of the new UK Data Protection Bill will find many familiar features in the substantive data protection rules included in the Polish Act. The obligations on data controllers are grouped together in Chapter 3 of the Act, and include six alternative grounds for rendering pro- cessing legitimate (based on article 7 of the directive). Also included is a set of ‘data quality principles’ (based on Article 6 of the directive and Article 5 of Convention no. 108) encompassing the basic purpose principle, require- ments for processing to be lawful

(although not ‘fair’) and data to be relevant, accurate and held no longer than necessary. There are provisions dealing with the information to be provided when data are collected, whether from the data subject himself

Act does envisage the sub-contracting of data processing, it does not include any notion or definition of a ‘sub- contracted processor’ or ‘computer bureau’, and does not impose any security obligations on such bodies.

As far as the rights of data subjects are concerned, Chapter 4 sets out a lengthy list including the essential rights of access and rectification, and the right to be given information about the purpose, scope and manner of the processing as well as about dis- closures and recipients of the data. The Act also includes a number of the new rights found in the EU data pro- tection directive, such as the right to information about the source of the data, and the right to object to pro- cessing in certain cases, such as where the data are to be used for marketing. Exemptions to these data subject rights are limited to those necessary for state secrecy, national defence or security, human health or life, public security, property or order, or a fun- damental economic interest of the state. A substantial breach of the data subject’s or a third party’s personal rights would be another ground for exemption. Two of the supplementary rights required by the directive, namely the right not to be subject to an automated decision and to be told the logic behind such decisions, as well as the right to have third parties who have received erroneous data informed when the data are rectified, are, however, missing.

TRANSBORDER DATA FLOWS

- THE DIRECTIVE MODEL

The approach of the Act to transfers of personal data outside Poland set out in Chapter 7 is modeled closely on Articles 25 and 26 of the EU Dir- ective, although some of the detailed terminology is different. The basic principle is that transfers should be permitted only to countries ensuring an “equivalent” (as opposed to the directive’s “adequate”) level of pro- tection. There are, however, a certain number of exceptions to this princi- ple, including where the data subject consents to the transfer, where the transfer is required by law, where it involves publicly-available data or where it is authorised by the General Inspector. The exceptions appear, on paper at least, a little more generous than the directive, but the system is in essence the same.

WILL RESOURCES BE FOUND TO ENFORCE THE LAW PROPERLY? Poland’s Data Protection Act is a comprehensive and well-structured law which has clearly been modeled

quite closely on the EU Directive. This seems a sensible tactic given Poland’s aspirations to EU member- ship. Of course, the law has its own peculiarities, but then Poland is not unique in that. The long-established laws of Germany, France, Sweden and the UK all have their own partic- ular approach to data protection issues, something that the implemen- tation of the EU directive will not entirely eradicate.

The question for the future is how well Poland will be able to effectively apply its new law, and ensure that public and private sectors alike develop data processing practices which respect data protection princi- ples. Crucial to this will be the extent of resources made available to the newly-incumbent General Inspector. Poland, like all the countries consid- ered candidates for EU membership

(with the exception of Cyprus and perhaps Slovenia), is considerably poorer in terms of Gross Domestic Product per head than even the poorest of the EU’s current members. Public money for the operation of a

data protection authority is therefore likely to be limited. In spite of this, it is to be hoped that sufficient resources will be found to enable the new authority to operate effectively, to educate both individuals and data controllers regarding their new rights and obligations, and allow the Polish law to make the impact that it should.

1 It should be noted that this is a slightly different approach to that taken by the EU Data Protection Directive (95/46/EC), which applies the notion of ‘filing system’ only

to manual data.

i

Nick Platten is a consultant in international privacy and data pro- tection law. He can be contacted by e-mail: nicholas.platten@bigfoot.com.

The Office of the Polish Data Protection Authority is currently being set up. We will publish

contact details in a future issue.