Komisja Europejska zajęła się sprawą wyłączenia polskich kartotek parafialnych spod kontroli GIODO i ma zamiar zwrócić się do polskich władz z prośbą o wyjaśnienia.
Dyrektywa europejska o ochronie danych osobowych, którą Sejm transponował do prawa polskiego mówi, że Państwo Członkowskie może ograniczyć organom nadzorczym dostęp do kontroli podmiotów przetwarzających dane osobowe w następujących dziedzinach: bezpieczeństwa publicznego, interesów ekonomicznych lub finansowych oraz walki z przestępczością. Polscy posłowie dorzucili do tej listy jeszcze czwarte wyłączenie: kartoteki parafialne. Feralny art. 43 ust.2 Ustawy o ODO zaskarżyłem w marcu 2011 roku do Komisji Europejskiej (numer skargi CHAP(2011)00776) na niezgodność z Dyrektywą 95/46/WE. Po 16 miesiącach (sic!) doczekałem się odpowiedzi od Komisji - na całe szczęście odpowiedź jest pozytywna.
Komisja zauważa niezgodność polskiej ustawy z unijną dyrektywą i zapewne zwróci się do władz państwa polskiego z prośbą o wyjaśnienia. Komisja zauważa, że związki religijne przetwarzające dane osobowe nie powinny być traktowane wyjątkowo gdyż nie zaliczają się do wyjątkowych przypadków wymienionych w dyrektywie. Komisja przywołuje w poniższym piśmie sprawę przed Trybunałem Sprawiedliwości przeciwko Bodil Lindqvist, w której Trybunał uznał, iż działalność religijna nie może być powodem wyjątków od stosowania prawa o ochronie danych osobowych.
Myślę, że jest to świetny news dla posłów pracujących w Komisji Sejmowej nad poprawką do UoODO zgłoszoną przez Ruch Palikota. Z poprawką można się zapoznać tutaj, a jej status można śledzić tutaj. Obecnie projekt jest na etapie konsultacji z kościołami i związkami wyznaniowymi.
Treść pisma z Komisji Europejskiej:
Ref. Ares(2012)872466 - 17/07/2012
EUROPEAN COMMISSION
DIRECTORATE-GENERAL JUSTICE
Directorate C : Fundamental Rights and Citizenship
Unit C3 : Data Protection
Brussels,
JUST/C3/AK/SV/ARES (2012) 783386s
Mr Robert Prochowicz
Re: CHAP 2011(776) - complaint - wrong implementation of Directive 95/46/EC - Article 43(2) of the Polish Personal Data Protection Act - lack of powers of the Polish Data Protection Supervisory Authority
We refer to your complaint concerning an alleged lack of powers of the Polish supervisory data protection authority - Inspector General for the Protection of Personal Data (GIODO) - in relation to the data protection activities of religious associations.
Please allow me to provide you with the following information:
a) Processing of personal data by religious associations
At Union level, the processing of personal data is regulated by Directive 95/46/EC of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive) . Therefore, any data processing operation has to be carried out in line with the principles laid down in this Directive unless an exemption is applicable.
The only instances of processing of personal data not covered by the Data Protection Directive are those expressly listed in Article 3(2). The first indent of this provision exempts data processing in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law.
However, in case C-101/01, Criminal Proceedings against Bodil Lindqvist, the Court of Justice of the European Union clarified that activities of a charitable or religious nature do not fall within the scope of this exception (Case C-101/01, Lindqvist, [2003] ECR I-12971, para. 44-45). In consequence, the Commission considers that processing of personal data by religious associations falls within the scope of EU law as it constitutes processing of personal data, a process which is regulated by the Data Protection Directive.
b) Competence of data protection supervisory authorities to monitor the application of the provisions of Directive 95/46/EC within their territory
Article 28 of Directive 95/46/EC requires that each Member State shall provide that one or more public authorities are responsible for its monitoring the application within its territory. The authorities shall act with complete independence in exercising the functions entrusted to them. Each authority shall in particular be endowed with investigative powers (powers of aeces&iaxlata forming-the subject-matter of processing-operattons and—powers to collect all the information necessary for the performance of its supervisory duties), effective powers of intervention (ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, or warning or admonishing the controller, or that of referring the matter to national parliaments or other political institutions), and the power to engage in legal proceedings where the national provisions adopted pursuant to the Directive have been violated or to bring these violations to the attention of the judicial authorities. Decisions by the supervisory authority which give rise to complaints may be appealed against through the courts.
You might be aware that the Commission adopted the Data Protection Reform3 very recently and presented a proposal for a Regulation on data protection which will constitute - once it is adopted - a sound framework for the protection of the fundamental right to data protection in the Union. One of the issues which is addressed in the new provisions is linked to the protection of personal data in relation to religious associations:
- recital 128: This Regulation respects and does not prejudice the status under national law of churches and religious associations or communities in the Member States, as recognised in Article 17 of the Treaty on the Functioning of the European Union. As a consequence, where a church in a Member State applies, at the time of entry into force of this Regulation, comprehensive rules relating to the protection of individuals with regard to the processing of personal data, these existing rules should continue to apply if they are brought in line with this Regulation. Such churches and religious associations should be required to provide for the establishment of a completely independent supervisory authority;
- Article 9 (d): processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non-profitseeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects;
Remark: this Article mirrors Article 8 d) of Directive 95/46/EC, but adds a reference to the processing of personal data of former members.
- Article 85: Existing data protection rules of churches and religious associations
1. Where in a Member State, churches and religious associations or communities apply, at the time of entry into force of this Regulation, comprehensive rules relating to the protection of individuals with regard to the processing of personal data, such rules may continue to apply, provided that they are brought in line with the provisions of this Regulation.
2. Churches and religious associations which apply comprehensive rules in accordance with paragraph 1 shall provide for the establishment of an independent supervisory authority in accordance with Chapter VI of this Regulation.
As regards the competence of GIODO, it can be noted that the Polish Act on Personal Data Protection endows GIODO with inspection powers authorising it to demand written or oral explanations, and summon and question any person within the scope necessary to determine the facts of the case (Article 43 (2) of the Act). Moreover, GIODO can notify prosecuting bodies of suspicion of commission of crimes specified by the provisions of the Act on Personal Data Protection.
The Polish Act on Data Protection however also contains a catalogue of institutions in relation to which the powers of the Inspector General are limited. Among them are also expressly stated religious associations. In relation to data filing systems administered by religious associations, the Inspector General is not entitled to issue administrative decisions or to handle complaint, and its inspection powers have been limited.
What can therefore be established prima facie in your case - on a preliminary basis - is that GIODO does not have the powers specified in Articles 12 (2), 14 (1), (3), (4), (5) and Articles 15 - 18 of the Polish Act on Personal Data Protection transposing the Data Protection Directive 95/46/EC with regard to data filing systems relating to members of churches or other religious associations.
Therefore, we are further investigating your case in order to verify the compatibility of the Polish Act on Personal Data Protection with the Data Protection Directive 95/46/EC, in particular the powers of GIODO in relationship to religious associations. This will be done also against the background of the draft data protection Regulation, as it sets out the way proposed by the Commission. We consider requesting the Polish authorities to provide us with the necessary supplementary substantial information.
You may, if you wish, submit further material or comments in relation to this letter. In the absence of such material within four weeks of the date hereof, we will proceed to close the file and consequently contact the Polish authorities officially to verify the compatibility of the Polish Act on Personal Data Protection with the Data Protection Directive 95/46/EC.
We will keep you informed of the next steps that we will take in the framework of this procedure.
Yours sincerely,
Marie-Hélène BOULANGER
{jcomments off}