On the protection of personal data of people coming from Ukraine during the DPOs Forum
A representative of the Personal Data Protection Office took part in the Data Protection Officers Forum organised by the Wielkopolska Centre for Local Government Education and Studies, which took place on 31 March 2022.
The meeting was addressed to Data Protection Officers (DPOs) from local government units and concerned i.a. current problems related to personal data protection faced by processors of personal data of persons seeking shelter and assistance in connection with the situation caused by the attack of the Russian Federation on Ukraine. The representative of the Personal Data Protection Office (UODO) discussed issues related to the application of the provisions of the GDPR to the processing of personal data of persons from Ukraine.
Application of the GDPR
Monika Kurzajewska from the Division of Cooperation with Data Protection Officers of the Case Law and Legislation Department pointed out that recently the Personal Data Protection Office has been notified of many doubts and questions related to the application of the provisions of the General Data Protection Regulation (GDPR) to the processing of personal data of persons arriving from Ukraine. She explained that such processing must comply with the principles set out in the provisions of the GDPR, as the obligations set out in those provisions must be performed in the same way as in any other case. According to the GDPR, each controller is required to implement appropriate technical and organisational measures to ensure that the processing complies with the GDPR and to be able to demonstrate this.
Principles, conditions and procedure of granting protection to aliens within the territory of the Republic of Poland by the relevant authorities have been regulated in the Act of 13 June 2003 on granting protection to aliens within the territory of the Republic of Poland (Journal of Laws of 2021, item 1108). Temporary protection is regulated by Art. 106 of this Act. Pursuant to Art. 107, temporary protection shall be provided on the basis and within the limits specified in the decision of the Council of the European Union, for the period specified every time in the decision.
On 4 March 2022, the Council of the European Union issued Implementing Decision 2022/382 establishing the existence of a mass influx of displaced persons from Ukraine within the meaning of Article 5 of Directive 2001/55/EC, and having the effect of introducing temporary protection.
The Act of 12 March 2021 on assistance to citizens of Ukraine in connection with the armed conflict in the territory of Ukraine (the so-called special act) includes the introduction of temporary protection, as defined by Council Implementing Decision (EU) 2022/382.
This Act provides for a procedure of simplified legalisation of stay of the group of persons arriving from Ukraine specified in the provisions of the Act and comprehensively regulates all issues related to their stay as well as the scope of assistance provided to them.
In relation to the group of persons arriving from Ukraine specified in the special act, the provisions of the special act will apply, not the provisions of Chapter 3, Section III of the Act on granting protection to aliens within the territory of the Republic of Poland.
Grounds for personal data processing
In the case of public entities, as a rule, the personal data processing may take place once one of the conditions set out in Article 6(1) GDPR and Article 9(2) GDPR is fulfilled, in conjunction with the relevant specific provisions specifying the tasks of these entities. Therefore, the identification of the appropriate premise requires a detailed analysis of the specific duties/tasks performed by such an entity and legal provisions applicable in a given situation. This analysis should be based on a thorough knowledge of all the factual circumstances relating to the type of data and the purposes of their processing. In terms of determining the appropriate basis for data processing, the status of the person arriving from Ukraine should also be taken into account (e.g. whether the provisions of the Act of 12 March 2022 apply to him/her) - said Monika Kurzajewska.
Under the provisions of the GDPR, the information obligation must be met, unless one of the grounds for exemption applies. Pursuant to Article 12 of the GDPR, the controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The controller should therefore adapt to the recipients of this information. Thus, if the controller processes data of persons of nationality other than Polish, the controller should ensure that the information is provided in a language that they understand and not in a language that they do not know - otherwise the controller will not be able to demonstrate compliance with the principle of transparency and accountability.
As the speaker pointed out, in order to ensure greater transparency, layered compliance with the information obligation should also be considered. The Guidelines on transparency under Regulation 2016/679 adopted on 29 November 2017 provide examples in this regard.
Records of processing activities
The speaker also reminded that a new process of personal data processing, e.g. the assistance provided to Ukrainian citizens, should always be analysed by the controller and reflected in the record of processing activities maintained by the controller. A properly developed and prepared record of data processing activities facilitates, i.a. the preparation of an information clause addressed to data subjects.
The speaker also raised the issue of the tasks performed by DPOs, who should respond to the changing needs of the controller related to ensuring compliance with the provisions on personal data protection, including advisory activities or activities related to the training of persons processing personal data.
The Data Protection Officers Forum was organised by the Wielkopolska Centre for Local Government Education and Studies Association, which brings together 275 local units.