Polish administrative court rules that the GDPR does not grant power to the data protection to order the disclosure of personal data to third parties at their request
A Company requested the Polish DPA (the President of the Personal Data Protection Office, further as "the Polish DPA") to order the controller to disclose personal data of a natural person that allegedly damaged the company reputation using electronic means of communications offered by the controller. The Company needed the data subject's name and the IP address to seek redress against him or her. Before submitting the request to the Polish DPA, the Company had unsuccessfully asked the controller to provide the dataset at issue
The Polish DPA dismissed the Company's request stating that neither article 58 GDPR that enumerates supervisory authorities' powers nor current national laws allow it to order controllers to disclose data subject's information to a third party at its request. In the Polish DPA view, based on the applicable data protection law, it is impossible to order the controller to pass third party's data on to the Company. Therefore, the Polish DPA decided to discontinue the proceedings in this case. The Company subsequently challenged the decision before the Provincial (Voivodeship) Administrative Court in Warsaw (the Court). Its complaint emphasised that the Polish DPA had ignored article 6 (1) (f) GDPR and had wrongly assumed its lack of competence to order the disclosure of a third party's personal data. The Company argued that it had a legitimate interest in protecting its rights while requesting the personal data of a person who damaged its reputation.
Furthermore, in the Company's opinion, the Polish DPA could order the controller to make personal data available pursuant to article 58 (1) (a) GDPR. In response to the complaint, the Polish DPA upheld its arguments presented in the contested decision and filed for dismissing the complaint. The Polish DPA stressed that the special powers conferred upon it in the past, i.e. before 25 May 2018, are no longer applicable. The authority also emphasised that public law competence cannot be presumed and indicated that its lack of power to order disclosure of personal data of a third person does not exclude the possibility of obtaining such data by the interested party by using measures foreseen in Polish civil law.
In this context, it should be recalled that the Polish DPA could order controllers to disclose personal data under the previously applicable Polish Act on Personal Data Protection from 1997. However, currently, neither the GDPR nor Polish Act on Data Protection from 2018 foresee such powers.
The ruling of the Provincial (Voivodeship) Administrative Court in Warsaw
The Court noted that the essence of the case revolves around the question of whether the GDPR or the provisions of the Polish Act on Personal Data Protection from 2018 allow Polish DPA to order a controller the disclosure of personal data to third parties at their request to use it in a possible civil action. In the Court's opinion, the answer to such a question should be negative since:
The GDPR was adopted to ensure the adequate level of protection for data subjects and not to grant information rights to other entities, including those pursuing legal claims against natural persons whose personal data is protected;
- The GDPR neither confers information rights to third parties, nor such rights can be inferred from article 6 (1) (f) GDPR;
- Article 58 (1) (a) GDPR merely refers to the scope of the tasks of the supervisory authorities, and one cannot derive from that provision that supervisory authorities may order controllers to disclose personal data in its possession to third parties;
- Article 58 (2) (c) GDPR does not entitle supervisory authorities to order controllers to disclose personal data in their possession to third parties. The phrase "data subject" used in this provision refers namely to a person whose data are being processed by a given controller and not to a third party;
- Polish Act on Personal Data Protection of 2018 does not grant the Polish DPA power to force controllers to disclose personal data to third parties at their request.
Thus the Court concluded that the Polish DPA had correctly decided to discontinue the proceedings in this case as, under currently applicable laws, it was not competent to order the controller to undertake the actions demanded by the Company.
The Court's judgment confirms that the Polish DPA is not entitled under the GDPR and Polish Act on Personal Data Protection from 2018 to order controllers to disclose the personal data to third parties at their request.
Article provided by: Xawery Konarski and Mateusz Kupiec (Traple Konarski Podrecki & Partners, Poland)
Dr. Tobias Höllwarth (Managing Director INPLP)