President of the Personal Data Protection Office met with data protection officers in the courts
Mirosław Wróblewski, President of the Personal Data Protection Office, together with Professor Agnieszka Grzelak, Deputy President of the Personal Data Protection Office and co-workers, met with representatives of data protection officers (DPOs) appointed in courts. They are preparing a code of conduct for common courts for cases that are not part of the administration of justice. The meeting was also attended by representatives of the Ministry of Justice interested in this initiative.
The court DPOs identified as a fundamental difficulty in their work the separation of the processing of personal data in the exercise of justice from other processing undertaken in the practice of the courts.
According to Article 55(3) of the GDPR, supervisory authorities, such as the President of the Personal Data Protection Office, are not competent to supervise processing operations carried out by courts in the exercise of their judicial functions. Polish courts are obliged to apply data protection legislation in their activities, but it is not the responsibility of the President of the Personal Data Protection Office to supervise their judicial activities. The legislator has indicated in Article 175 dd of the Law on the Organisation of Common Courts, the authorities which are to exercise such supervision in the field of administration of justice. However, among the competences of these authorities there is no power to accept notified personal data breaches referred to in Article 33 GDPR. That is why, among others, the President of the Personal Data Protection Office, Mirosław Wróblewski, decided to take an active role in the careful assessment of breaches notified by courts in the area of his jurisdiction.
Despite the above regulation and several years of practice of the application of the GDPR in courts, doubts remain related to the practical aspects of supervising the processing of personal data. The difficulty of drawing the dividing line between what is and what is not the administration of justice contributes to the uneven practice of applying the data protection legislation.
There is also the big challenge of dividing roles and ensuring the security of personal data in an era of dynamic digitalisation of public services and centralisation of citizens' databases.
Seeking to overcome the above difficulties, the DPOs have taken the initiative to develop a code of conduct within the meaning of Article 40 GDPR. The clarification of data processing operations will undoubtedly contribute to a higher level of protection and greater uniformity in the application of the rules on the processing of personal data in the administration of justice.
The discussion focused on the scope of the future code and its recipients. Consideration, by an initiative representing courts of all instances, needs to be given to the choice of applicant in the future procedure for the approval of the code and the range of actors to be consulted. Participants agreed that it should include judges and court staff and their associations, as well as experts from the Ministry of Justice, responsible for the organisation of the judiciary.
Much attention has been paid to the monitoring mechanisms of the code, which will only cover public sector entities. The adaptation of internal audit and management control mechanisms in the code of the Polish Hospital Federation shows a possible path also for the courts.
During the meeting, the need for legislative changes was also noted, necessary to complete the reform of personal data protection in the justice system in connection with the application of national regulations and their relationship with the GDPR and the so called LED Directive.
Mirosław Wróblewski, President of the Personal Data Protection Office, together with Agnieszka Grzelak, Deputy President of the Personal Data Protection Office being aware of the challenges faced by controllers and data protection officers in courts on a daily basis, expressed their readiness to support and further cooperate in the preparation of the code of conduct by the Personal Data Protection Office.