Processing of personal data on the Internet – the Polish regulator’s perspective
Over the last few years, the European Court of Justice has issued a number of important judgments relating to the processing of personal data on the Internet (Wirtschaftsakademie, Fashion ID, and Planet49). The European Data Protection Board has also issued a number of guidelines in this area (for example for processing personal data of social network users).
The policy of the Polish Data Protection Authority (Polish DPA) is relevant in this context.
First, the Polish data protection authority is not competent in matters of privacy as defined in Directive 2002/58/EC (e-Privacy Directive). This is important in deciding cases concerning whether it is permitted to install and use different identifiers (e. g. cookies). The competent authority for this is the President of the Office of Electronic Communications, who issues the decision on the basis of telecommunications law. Telecommunications law provisions also specify the penalties for breaching these provisions.
Secondly, it can be seen from the Polish DPA’s decisions that where the entity concerned only has a user’s Internet identifier (e. g. their IP address), the regulator even considers this processing of personal data within the meaning of the GPDR where. Consequently, the GDPR will apply to unregistered users, i. e. users who visit a given website but do not have
an account or profile there.
Unlike in the case of the Wirtschaftsakademie or Fashion ID case rulings, the Polish DPA has not yet adopted the concept of co-management of entities cooperating in various types of Internet advertising campaigns, including the collection of personal data for the purpose of such campaigns.
Also, with regard to the processing of personal data on the Internet for the controller’s own marketing purposes, the grounds for these activities may be the legitimate interests pursued by the controller (Article 6(1)(f) GDPR). However, a balance of interest test is required in this case.
In light of the latest Polish DPA decisions, the right of access to personal data covers not only personal data provided by Internet users (e. g. where an account is created), but also observed and inferred data.
The highest fine imposed so far by the Polish DPA on an Internet entity was PLN 2,800,000 (EUR 600,000).
Finally, to date, the Polish DPA has not approved a code of conduct for the Internet industry. This code is expected in 2022. A proposal has been drawn up by the Internet Advertising Bureau Poland (IAB Poland).