Is the Polish DPA competent to adjudicate matters concerning incidents that occurred prior to 25 May 2018?
Introduction
In February this year, the Supreme Administrative Court (NSA) reviewed a case determining whether the President of the Personal Data Protection Office (PDPO) is competent to rule on matters of wrongdoing in personal data processing that occurred before enactment of the GDPR and the Act of 10 May 2018 on the Protection of Personal Data (consolidated text, Journal of Laws of 2019, item 1781 (the “2018 Act”).
Case description
In May 2018, a complaint was received by the Polish regulator from a district court employee. The complaint concerned disclosure in January 2018 of correspondence containing the complainant’s personal data to employees of the court. The correspondence, which the complainant submitted to the harassment prevention team, was attached to an internal order and passed on to the court employees
In June 2020, the President of the PDPO issued a ruling stating that the case would not be investigated because the incident in question occurred when the Act of 29 August 1997 on the Protection of Personal Data (consolidated text, Journal of Laws of 2016, item 922 (the “1997 Act”) was in force.
The regulator stated in the ruling that the duties of the President of the PDPO include conducting investigations into application of the GDPR[1] (art. 57(1)(h) GDPR). Under interim provisions in the present Act on the Protection of Personal Data (art. 160(2) of the 2018 Act), however, the President of the PDPO conducts investigations instigated and still in progress at the time of enactment of the 2018 Act under the 1997 Act. Meanwhile, no provision enables the regulator to investigate an incident that occurred before the 2018 Act came into force, and the request for an investigation into the case was submitted subsequent to that date.
In a judgment of 12 December 2020, case file number II SA/Wa 1389/20, the Warsaw Voivodeship Administrative Court (WSA) concurred, after which the Supreme Administrative Court dismissed a final appeal against the WSA judgment in a judgment of 10 February 2022, case file number III OSK 5028/21. In the statement of reasons for the judgment, the NSA stated that the 1997 Act remained in effect with regard to issues covered by the Law Enforcement Directive until 6 February 2019, and thus did not apply in other cases.
Implications
The 1997 Act was repealed, and currently it can only be applied to cases instigated based on the act and not concluded definitively today. This means that if data were disclosed once and this is not an ongoing process, the regulator has no legal grounds to examine the lawfulness of the event.
The above does not apply when the processing began before the GDPR took effect and continued once the GDPR was in effect. For example, if in the case in question, the correspondence from the complainant had been published on the website of the court public information bulletin (BIP) between January 2018 and June 2018, this process would have been evaluated by the regulator even if the request for an investigation had been submitted to the regulator in May 2020.
This standpoint indirectly indicates that the regulator cannot apply punitive powers, such as a fine or warning, to data breaches prior to 25 May 2018 if it began an investigation regarding data processing after that date.
If the regulator issues a ruling concerning a fine and states that the fine has been moderated due to the duration of a breach that commenced prior to 25 May 2018, there are grounds for contesting the ruling.
At the same time, the standpoints of both the regulator and administrative courts in the case are correct.
Under the applicable law the President of the PDPO is not competent to evaluate the compliance of conduct of a controller with the 1997 Act, except where, in the conditions described in article 160(2) of the 2018 Act, the 1997 Act was repealed, and no authority can examine compliance with that act.
Meanwhile, in the context of the above, the question arises whether, when evaluating data processing that began prior to 25 May 2018 and is ongoing today, the regulator may evaluate events under the previous laws. If data are obtained lawfully, this determines that the data can continue to be processed. Therefore, if the regulator cannot evaluate the manner of obtaining the data, even if this occurred prior to the enactment of the 2018 Act, then it cannot evaluate the case properly either.
The intention behind each administrative case conducted before an authority must be issue of an administrative decision that is within the authority’s range of competencies. Regardless of the pertinent facts, article 58(2) of the GDPR does not apply to events that came to an end prior to 25 May 2018, the authority cannot investigate the case because any investigation of that kind would end in dismissal. At the same time, evaluating whether data are obtained lawfully is an essential element of evaluating the facts in a case, and therefore an authority may evaluate whether data are obtained lawfully under the laws in force at the time the data were obtained. As a result, the authority will issue a decision relating to data processing in progress after 25 May 2018, taking into consideration the processing of the data in the past, and this includes compliance with notification obligations or the effect of withdrawal of consent to data processing prior to 25 May 2018.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).