New data storage rules by the Police – how can the CJEU ruling affect Polish law?

LAWNew data storage rules by the Police - how can the CJEU ruling affect Polish law?

Under Article 20 of the Police Act, this formation can collect data about citizens in Poland for the purpose of carrying out its statutory duties. This norm allows authorities to accumulate this data indefinitely, provided they cite, for example, the need to prevent crime. In a Bulgarian case concluded with a judgment on January 30, 2024, the EU Court of Justice ruled that the police cannot indefinitely hold biometric and genetic data of all convicts until their death. Authorities should periodically examine whether there is a need for further storage of such data, and if not, the convict should have the right to request their removal (case C-118/22). So, can the Police authorities in Poland indefinitely hold the data of citizens?

After the conviction is expunged, it is considered non-existent…

One of the basic institutions of criminal law is the expungement of a conviction. Its essence lies in the fact that after a certain period of time from serving the sentence, or subjecting a person to probation, the conviction is considered non-existent, and the person is seen as never having been punished. The chance to regain unpunishability is supposed to serve as a strong motivation for the perpetrator to reform.

Except for exceptions indicated in the law, the conviction is expunged after a certain period of time by virtue of law, or earlier at the request of the convicted person. For instance, a conviction for imprisonment is expunged by law after 10 years from its execution, and for restriction of liberty – after 3 years. As per Article 106 of the Penal Code, at the moment of expungement, the conviction entry is removed from the register of convicted persons, and the conviction is considered non-existent.

…but a trace remains

Under the Police Act, this formation, in order to carry out its statutory duties, can process information, including personal data (including certain genetic data), fingerprints (biometric data), photos, and descriptions of appearance. According to the Order of the Chief Commander of the Police dated May 15, 2020, on the Unified Subject Index of Police Acts, criminal documentation is stored in police databases for a period of at least (depending on the gravity of the crimes) 15-25 years for misdemeanors and 30-40 years for crimes. The period of storage of tax crime documentation is 15-20 years. The police even keep records of discontinued cases for at least 5 years, also when no act was committed, as well as in the case of a simple note about identifying a person.

– We are talking here only about the minimum period of storing records, as indicated by the phrase “at least”. In reality, there are no clear regulations in the Polish legal system that would set the boundaries of the period after which the Police would be obliged to destroy the documentation of the convicted, detained, or even only suspected person, who, as it turns out later, did not commit any crime – explains Robert Nogacki from Skarbiec law firm. – After all, the Police can refer to the “need to carry out their statutory tasks”, which include detecting crimes and offenses and pursuing their perpetrators, to refuse to destroy data, raising that according to its opinion, further storage of them is necessary to carry out these statutory tasks.

The necessary period for fulfilling the statutory tasks of the Police

In 2018, a suspected woman filed a request to the Chief Commander of the Police to remove her personal data from the National Police Information System (KSIP). She argued that the criminal proceedings conducted against her had been discontinued, and further processing of the subject data deprived her of the opportunity to take a job in the judicial authorities. The Head of the Information Service Department of the Criminal Intelligence and Information Bureau of the Chief Police Commander refused, citing the then applicable provision of Article 20, paragraph 17 of the Police Act. This provision stipulated that personal data collected to detect a crime are stored for the period in which they are necessary for the implementation of statutory tasks carried out by the Police. Police authorities carry out a verification of this data after the conclusion of the case, also not less frequently than every 10 years from the day of obtaining or retrieving data, removing unnecessary data. He also pointed out the ordinance of the Minister of Interior and Administration dated August 23, 2018, on processing information by the Police, which entitles them to store personal data as long as they are useful for carrying out the tasks, especially for investigative actions and those aimed at preventing crime in the future. What is significant, as the Head himself admitted: “Registration in the police data set does not determine any wrongdoing of a person whose data are processed. Such registration is only auxiliary in nature for the criminological assessment of a person conducted by the Police” (Decisions of the President of the Personal Data Protection Office, decision ZSOŚS.440.148.2018).

The result of the case does not matter

The Police’s position was confirmed in the cited decision by the UODO President. He informed that KSIP is a register serving to collect and process data about the proceedings initiated and conducted by the Police, regardless of how they ended. None of the bodies entitled to make decisions concluding these proceedings (prosecutor’s office, courts) have the obligation to inform the Police about their termination. Therefore, the potential discontinuation of proceedings or expungement of a conviction does not entail by law the removal of data from KSIP. When a conviction is considered non-existent, the entry about the conviction is removed from the register of convicted persons, but not from other registers. As the UODO President added, in line with Article 20, paragraph 17 of the Police Act, after the conclusion of the case, Police authorities carry out a verification of the sets of information they hold, not less frequently than every 10 years.

For the safety of citizens

The Police decides about the aforementioned “necessity”. Against the convicted, the suspects, the suspected, the acquitted, and ordinary citizens, who were only identified, among other things, the judgment of the Voivodship Administrative Court in Warsaw from January 28, 2014, (ref. act II SA/Wa 1366/13) advocates, in which the Court ruled, that “Police authorities are entitled to process data of persons not only suspected (…) also those against whom the conviction has been expunged. (…) it would be inappropriate to deprive the Police authorities of access to the full information, which the Police itself produced in a legal manner”. Also, the Supreme Administrative Court stated that the control over the legality of data processing should primarily consider the principles resulting from the content of Article 20, paragraph 2a of the Police Act (for the purpose of carrying out statutory tasks, the Police can collect information about persons without their knowledge and consent). “It cannot be overlooked that information collected by the Police, including the personal data of a participant in the proceedings, serves to accomplish very important tasks from the point of view of the functioning of the state, particularly the safety of the citizens, statutory tasks imposed on this formation” (judgment of April 21, 2017, ref. act. I OSK 2426/15).

The police cannot hold data indefinitely until death

The Court of Justice of the European Union dealt with the case of a criminal convicted in Bulgaria for giving false testimony. He was sentenced to one year of restriction of liberty. After serving this sentence, he took advantage of the expungement institution, then applied for his removal from the police register. Bulgarian authorities refused, stating that the regulations allowed them to store data until the death of the person concerned, even after the expungement of the conviction. The CJEU ruled on 30 January that such action by the police authorities was contrary to EU law: “Even if the general and undifferentiated storage of data is justified by the need to prevent crime, conduct preliminary proceedings, detect and prosecute prohibited acts, or execute sentences, the national authorities are required to impose on the data administrator the obligation to periodically review whether such storage is still necessary, and to grant the interested party the right to remove this data when it is no longer the case” (case C-118/22 NG against Direktor na Glavna direktsia “Natsionalna politsia” pri MVR – Sofia).

Summary

Will the EU court’s decision influence requests for data deletion filed by the Police authorities in Poland? It should. The provisions of Article 20, paragraph 2a and paragraph 17 of the Police Act, to which the authorities referred in the aforementioned case of the suspected woman, who unsuccessfully demanded the removal of her personal data from the registers, were repealed in 2019. Although Article 20, paragraph 1, which entitles the Police to process personal data for the purpose of carrying out their statutory tasks, still remains in force. But there is also a paragraph 1j, which clearly states that the processing of personal data by the Police in connection with the prevention and combating of crime, takes place on the basis of a law, EU law, and provisions of international agreements. According to Article 16, paragraph 1 of the Act of December 14, 2018, on the protection of personal data processed in connection with the prevention and combating of crime, the administrator is obliged to verify the personal data at intervals specified by specific provisions regulating the activities of the responsible body, and if these provisions do not specify the time – not less frequently than every 10 years from the day of collection, obtaining, retrieving or updating the data. Based on Article 23, paragraph 1, and Article 24, paragraph 1 of this Act, the person to whom the data relates has the right of access to his or her personal data, including the right to request immediate correction and/or deletion of personal data – if these data have been collected or are processed in violation of the provisions of the Act.

This issue has been controversial and unresolved for many years. As early as in the judgment of December 12, 2005 (K 32/04, OTK-A 2005, No. 11, item 132), the Constitutional Tribunal stated that the collection of sensitive data about a person for preventive purposes, without a connection to his or her criminal past, is unacceptable in a democratic state of law. Information about citizens should not be collected because of the potential usefulness of this information, and intrusion into privacy can be applied only in connection with a specific procedure, conducted on the basis of a law allowing restrictions on freedom due to the security of the state and public order. The Police’s interference in the sphere of citizen’s rights and liberties, associated with operational activities undertaken in the public interest, cannot be unlimited.

Author: Robert Nogacki, legal counsel, managing partner, Skarbiec Law Firm, specializing in legal, tax, and strategic advisory for entrepreneurs.

Source: https://managerplus.pl/nowe-zasady-przechowywania-danych-przez-policje-jak-wyrok-tsue-moze-wplynac-na-polskie-prawo-71538

Exit mobile version