Prohibition on the processing of sensitive personal data (the processing of personal data by authorised employees of the Supreme Chamber of Control (NIK)) K 39/12
The processing of data that reveal individuals’ political opinions, religious beliefs or philosophical convictions, as well as information on their genetic codes, addictions or sexual lives, is not useful in the context of the constitutional and statutory catalogue of entities audited by the Supreme Chamber of Control and the scope of an admissible audit.
At the hearing on 20 January 2015 at 9 a.m., the Constitutional Tribunal considered an application, submitted by the Public Prosecutor-General, with regard to the conformity of provisions that authorised the auditors of the Supreme Chamber of Control to process sensitive personal data to the constitutional right to privacy and the principle of appropriate legislation.
The Constitutional Tribunal adjudicated that:
1. Article 29(1)(2)(i) of the Act of 23 December 1994 on the Supreme Chamber of Control:
a) insofar as it permitted authorised representatives of the Supreme Chamber of Control to process data that revealed individuals’ political opinions, religious beliefs or philosophical convictions, as well as information on their genetic codes, addictions or sexual lives, was inconsistent with Article 47 and Article 51(2) in conjunction with Article 31(3) of the Constitution;
b) within the remaining scope, was consistent with Article 47 and Article 51(2) in conjunction with Article 31(3) of the Constitution;
2. Article 27(2)(2) of the Act of 29 August 1997 on the Protection of Personal Data in conjunction with Article 29(1)(2)(i) of the Act referred to in point 1, was consistent with the principle of appropriate legislation, derived from Article 2 of the Constitution.
As to the remainder, the Constitutional Tribunal decided to discontinue the review proceedings.
Addressing the allegation that the right to privacy had been infringed, the Constitutional Tribunal stated that the processing of data indicated in point 1(a) of the operative part of the judgment (i.e. data that revealed individuals’ political opinions, religious beliefs or philosophical convictions, as well as information on their genetic codes, addictions or sexual lives), was not useful in the context of the constitutional and statutory catalogue of entities audited by the Supreme Chamber of Control and the scope of an admissible audit.
The said statement was sufficient to issue a judgment that unconstitutionality in that context pertained only to a certain scope. Indeed, a restriction of constitutional rights which is not useful may not be regarded as indispensable, and thus definitely not as proportionate in a strict sense in a democratic state ruled by law.
What the Tribunal considered to be useful for the exercise of the constitutional and statutory powers of the Supreme Chamber of Control was the data mentioned in point 1(b) of the operative part of the judgment. Data concerning health constituted an essential element of evidence material in the course of an audit of entities providing health-care services.
Data concerning sentences, rulings and fines were important in particular in the course of auditing the following organs of public authority: the Customs Service, the Prison Guard, the police as well as the organs of public administration. By contrast, data that revealed political party membership might be used by the Supreme Chamber of Control when evaluating compliance with the principle of being apolitical in the case of the corps of civil servants as well as the employees of the organs of public authority.
The Tribunal stated that data that revealed political party membership did not belong to the realm of exclusive privacy, as activity related to a political party was between a private and public realm, and constitutional provisions prohibited keeping political party membership secret. According to the Tribunal, the processing of those data was indispensable for guaranteeing diligence and efficiency of public institutions as values which constituted the bases of the public order. Furthermore, access to data on the state of health by the Supreme Chamber of Control was indispensable in particular for the protection of patients’ rights and for enhancing the effectiveness of entities providing health-care and welfare services. The processing of data that revealed trade union membership was indispensable for the Supreme Chamber of Control to guarantee the effective constitutional protection of the freedom of association. Data that revealed religious community membership and data on ethnic descent were indispensable for verifying whether the organs of public authority respected the principle that national minorities and religious minorities were to be protected by law. Such data might also prove to be indispensable in the case of overseeing the activities of the organs of public authority responsible for maintaining public order with relation to a terrorist threat.
The Tribunal stated that the challenged provision of the Act on the Supreme Chamber of Control, within the scope indicated in point 1(b) of the operative part of the judgment, did not constitute an excessive restriction on the right to privacy, as an audit carried out by the Supreme Chamber of Control did not directly shape the realm of personal data.
In principle, the said institution relied on data sets or registers held by entities under audit, without interfering in the course of processing of personal data by an authorised entity under audit. Furthermore, the Tribunal considered the fact that access to sensitive personal data during an audit was granted to the auditors of the Supreme Chamber of Control, whose powers, rights and obligations were specified in detail by statute, as well as who enjoyed the status of being apolitical and impartial.
Sensitive personal data to which an employee of the Supreme Chamber of Control had access as part of his/her professional duties were covered by the requirement of confidentiality. The requirement of confidentiality remained binding even after the employment terminated, and was safeguarded by disciplinary and criminal-law sanctions.
With regard to the allegation that the principle of appropriate legislation had been infringed, the Tribunal stated that the said allegation did not merit consideration. Article 27(2)(2) of the Personal Data Protection Act, interpreted in conjunction with the binding provisions of the Act on the Supreme Chamber of Control, made it possible to reconstruct the addressee, the content of a norm governing competence and a procedure in accordance with which it was carried out, the catalogue of entities with regard to which the said competence was exercised as well as the limits of exercising the said competence.
The hearing was presided over by Judge Małgorzata Pyziak-Szafnicka, and the Judge Rapporteur was Judge Stanisław Rymar.