The CJEU ruling in case C-118/22 necessitates reconsideration of the Act on the Police of April 6, 1990, specifically concerning the regulations governing the operation of the National Police Information System (KSIP).
This opinion was presented by Mirosław Wróblewski, the President of the Personal Data Protection Office (UODO), in response to a question from the Minister for European Union Affairs, Adam Szłapka.
On January 30, 2024, in case C-118/22 concerning the processing of personal data in relation to the prevention and combating of crime, the CJEU ruled that the GDPR, in conjunction with the Charter of Fundamental Rights of the EU, precludes national legislation that allows police authorities to retain biometric data of individuals convicted of intentional crimes until their death.
Such data is used by police services for crime prevention, preliminary proceedings, detection and prosecution of illegal activities, and the execution of penalties. The CJEU stated that administrators of such data should conduct periodic reviews to determine whether continued retention is necessary. Affected individuals must have the right to request the deletion of their data when its retention is no longer necessary.
Under Polish law, the processing of data by police authorities related to convictions is based on the Act on the National Criminal Register, the Act on the Processing of Criminal Information, and the Act on the Police, which regulates the operation of KSIP. This last Act should be amended because the regulations concerning KSIP do not obligate the Chief of Police to conduct periodic reviews of the data contained in KSIP to assess the need for continued processing. Additionally, they do not grant data subjects the right to have their data deleted. The absence of transparent procedures for deleting data from KSIP and criteria for determining its usefulness for further processing contradicts the views expressed by the CJEU in the discussed ruling.