Personal Data Protection Office’s infoline – frequently asked questions

In the course of the work of the Personal Data Protection Office’s infoline, which can be used by any citizen, similar questions are often asked, which means that they concern particularly important issues. Below we present a selection of such important questions and answers provided by Personal Data Protection Office’s employees.

The Personal Data Protection Office’s infoline is open on working days from 10 a.m. to 2 p.m. at + 48 606-950-000.

Question:

If customers data are processed in connection with the need to perform a contract concluded with them, do they have the right to object under the GDPR? Is it necessary to inform them of this right in such a situation?

Answer:

No, if personal data are processed in connection with the performance of a contract (Article 6(1)(b) of the GDPR), the right to object does not apply. In such a situation, when fulfilling our information obligation, we do not inform about this right. 

Grounds:

Pursuant to Article 21 of the GDPR, the right to object is available to a data subject where their data is processed:

• in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(e) of the GDPR),
• for purposes arising from legitimate interests pursued by the controller or a third party (Article 6(1)(f) of the GDPR),
• for direct marketing purposes (Article 6(1)(f) in conjunction with recital 47 of the GDPR).
• for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR (unless processing is necessary for the performance of a task carried out in the public interest).

The aforementioned regulation stipulates that the right to object applies only in the cases indicated above.

The facts presented in the question indicate that the controller processes its customer's data in connection with the performance of the contract concluded, and therefore on the basis of Article 6(1)(b) of the GDPR. In such a situation, in accordance with the above argumentation, the customer will not have the right to object.

As part of the information obligation, no information about the right to object is provided if this right does not actually apply.

Question:

Does a creditor need to have a court judgment in order to process the debtor's data for the purpose of pursuing a claim for payment?

Answer:

No, the creditor does not need a court ruling to legally process the debtor's personal data for the purpose of pursuing claims.

Grounds:

Article 6(1)(f) of the GDPR applies to the processing of debtor data by the creditor for the purpose of pursuing claims. According to this provision, data processing is permissible if it serves the legitimate interests pursued by the controller or by a third party. Such a legitimate purpose may be, for example, the pursuit of claims against the debtor. In such a case, data processing is legally permissible and does not require the debtor's consent. It is not necessary for the creditor to have an enforcement order against the debtor whose data it wishes to process.

Question:

Should a failure by a personal data controller to fulfil its information obligation towards the data subject (in violation of Article 13 or 14 of the GDPR) be classified as a personal data breach that must be notified to the President of the Personal Data Protection Office (pursuant to Article 33 of the GDPR)?

Answer:

No, the above-mentioned violations of the GDPR are not subject to notification to the President of the Personal Data Protection Office pursuant to the above-mentioned Article 33 of the Regulation.

Grounds:

Pursuant to Article 33(1) of the GDPR, personal data breaches shall be notified to the supervisory authority, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. However, according to the definition contained in Article 4(12) of the GDPR, ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Therefore, the aforementioned definition does not cover a case of a breach by the controller of the provisions concerning the fulfilment of the information obligation.

Question:

The employer transfers employees' salaries to the bank account numbers they have specified. In this situation, does the employer need the employees' consent to use the bank account numbers they have provided for the above purpose, given that the payment of salaries is a legal obligation?

Answer:

No, because in the situation described, the employer uses the bank account numbers provided by the employees to fulfil its legal obligation, i.e. the obligation to pay remuneration on time.

Grounds:

Pursuant to Article 94(5) of the Labour Code, one of the basic obligations of an employer is to pay remuneration in the correct amount and on time. In turn, pursuant to Article 86 § 3 of this Act, remuneration for an employee should be paid to the bank account number indicated by the employee. However, an employee may submit a request in paper or electronic form for the payment of remuneration to be made in person, and the employer is bound by such a request. As follows from the above regulation, under the current legal framework, the rule is to pay remuneration to the bank account indicated by the employee. Therefore, when paying remuneration to the bank account number indicated by the employee, the employer does not need the employee's additional consent to process personal data in the form of a bank account number, as it fulfils a legal obligation under the above-mentioned labour law provisions. Thus, the condition for the lawful processing of personal data under Article 6(1)(c) of the GDPR will be met, according to which the processing of personal data is permissible if it is necessary for compliance with a legal obligation to which the controller is subject.

Question

Can monitoring in the workplace include audio recording in addition to video recording?

Answer

No, monitoring in the workplace cannot be used to record sound. 

Grounds

Pursuant to Article 222 § 1 of the Labour Code, monitoring should be treated as a form of surveillance (of the workplace or the area surrounding the workplace) carried out by means enabling (which is important in the case under analysis) the recording of images. The legislator did not provide for the possibility of recording sound by means of monitoring in the aforementioned provision. Thus (a contrario), it must be concluded that there is no legal basis for recording sound by means of monitoring.  

Question

Can a student, after reaching the age of majority, withdraw the consent given by their parent (legal guardian) for the school to publish their image?

Answer:

Yes. Upon reaching the age of majority, a student may withdraw the consent to the publication of their image given by their parent.

Grounds

Firstly, it should be noted that consent to the processing of personal data (including the publication of images) of a minor student is, as a rule, given by their parents (legal guardians). These persons may also withdraw such consent at any time. However, once the student reaches the age of majority, they may independently withdraw (or change) the consent given by their parent (legal guardian) in accordance with Article 7(3) of the GDPR. The personal data controller will be obliged to inform adult students of this right. This requirement is highlighted by the European Data Protection Board in its guidelines 05/2020 on consent under the GDPR, adopted on 4 May 2020 (point 149).