Courts’ obligation to notify personal data breaches to the supervisory authority
The Polish Supervisory Authority prepared a publication "Processing of personal data by courts in the context of personal data protection", which answers the question of whether the President of the Polish Supervisory Authority is the competent authority to receive personal data breach notifications and to carry out inspections in the case of courts - and to what extent, if any.
Article 55 of the GDPR provides that supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity. In accordance with Recital 20 of the GDPR, the competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. However, the Regulation allows Member State law to specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities.
The Polish legislator made use of this possibility in the act – Law on Common Courts Organisation (thereinafter: the Act). Article 175(d)(b) of the Act stipulates that courts are the controllers of personal data processed in court proceedings in the exercise of the administration of justice or the implementation of the legal protection tasks.
However, the provisions of the Act do not explicitly indicate that these bodies are also authorised to receive notifications of personal data breaches. In such a situation, it should be assumed that, as a general rule, the GDPR applies to the actions of courts and other judicial authorities in notifying personal data breaches, as referred to in Article 33 of the GDPR. Therefore, the controller (e.g., a court) in any case is obliged to assess whether or not a particular incident constitutes a personal data breach, and if so, whether or not the breach involved processing by the courts acting in their judicial capacity.
Taking into account the doubts reported to the supervisory authority on this issue, the Polish SA has prepared a dedicated guide that provides helpful information when assessing situations related to the processing of personal data by the courts, with regard to their qualification as personal data breach requiring notification to the supervisory authority. This publication will help to ensure the consistent application of the GDPR to processing carried out by courts.