The provisions of the Act on Access to Public Information need to be amendedk
The provisions of the Act on Access to Public Information need to be amendedk
Mirosław Wróblewski, President of the Personal Data Protection Office, addressed a letter to Ignacy Niemczycki, Secretary of State for the European Union Affairs, in which he informed about the need to make appropriate amendments to the regulations governing access to public information.
The supervisory authority based its position on the content of the judgment of the Court of Justice of the European Union of April 3rd 2025 in Case C-710/23, Ministry zdravotnictví (Ministry of Health, Czech Republic), in which the Court examined the issue of the conflict between two rights – the right of access to public information and the right to the protection of personal data.
The Court noted that, in accordance with Article 6(2) of the GDPR, Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with Article 6(1)(c) and (e) by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing. In the context of public access to official documents, Article 86 of the GDPR provides that in official documents held by a public authority or a public body or a private body for the performance of a task carried out in the public interest may be disclosed by the authority or body in accordance with Union or Member State law to which the public authority or body is subject in order to reconcile public access to official documents with the right to the protection of personal data pursuant to this Regulation.
The President of the Personal Data Protection Office points out that the CJEU judgment analysed in the Polish legal order should be referred primarily to the content of the Act on Access to Public Information. Article 5(2) is of key importance of that act, under which the right to public information is restricted on grounds of the privacy of a natural person or the secrecy of an entrepreneur. This restriction does not apply to information about persons performing public functions related to the performance of those functions, including the conditions of entrustment and performance of functions, and the case where a natural person or entrepreneur renounces their right.
However, the aforementioned regulation does not contain any reference to the provisions on personal data protection and the GDPR itself, but it follows from the case-law of the administrative courts that the right to personal data protection must be derived from the broader right to privacy as a legal restriction of access to public information.
An analysis of the provisions in force in Poland on disclosure of public information and the case-law of the Polish administrative courts shows that the issue of ensuring the information autonomy of the data subject in respect of whom a request for disclosure of public information has been made is neither sufficiently precisely regulated in Article 5(2) of the Act on Access to Public Information, nor can there be a fully unequivocal and established case-law of the courts in this regard.
In the judgment under consideration, the CJEU stressed the need for the controller to consult the person before providing documents containing his or her personal data, with certain limitations, i.e., a situation in which it is impossible to carry out such consultation, a disproportionate effort related thereto and a disproportionate restriction on the right of public access to those documents for those reasons.
The CJEU ruling concludes that the Act on Access to Public Information does not set out in sufficient detail the requirements for processing and other measures to ensure the lawfulness and fairness of processing, as required by Art. 6(2) of the GDPR.
The President of the Personal Data Protection Office explains that the wording of Art. 5(2) of the Act on Access to Public Information does not specify the conditions to be followed when assessing whether disclosure would infringe the right to privacy of the person to whom the request relates, nor does it specify the procedure for ensuring the information autonomy of that person (in particular, it does not follow from it whether and in what circumstances it is necessary to ask him or her to take a position on whether his or her data should be disclosed). As a result, the controller executing this request is not sure whether its action (or omission) in this respect complies with the provisions of this Act and the principles of personal data protection.
It is therefore necessary to make appropriate precise amendments to the Polish provisions governing access to public information in accordance with the judgment of the Court of Justice of the European Union and the provisions on the protection of personal data.
The full content of the position of the President of the Personal Data Protection Office is available below.