Ikonka home dla okruszków News and events
photo
18.11.2025

Regulations on the processing of data in public registers require urgent review

The President of the Personal Data Protection Office (UODO), Mirosław Wróblewski, has asked Deputy Prime Minister and Minister of Digital Affairs Krzysztof Gawkowski to conduct a review of public registers.

The President of the Personal Data Protection Office has repeatedly presented his comments on the regulations governing the operation of various registers, including the National Court Register, the Personal Identity Documents Register, and the Personal Identification Number Register (PESEL). He has also raised concerns about applications that operate based on data retrieved from public registers, such as mObywatel or the Integrated Analytical Platform. The supervisory authority is now once again calling for a review of the functioning of public registers. This is necessary because the Polish legal system faces challenges related to the implementation of several European Union legal acts that change existing models of data processing, including personal data, in public registers, the UODO President notes. These include, among others:

  • • the Data Governance Act,
    • the Artificial Intelligence Act,
    • the Digital Services Act,
    • the Data Act,
    • the regulation on the European Health Data Space,
    • the amendment to the regulation on the European Digital Identity framework,
    • and the implementation of the directive on measures for a high common level of cybersecurity of networks and information systems within the Union.

The President of the Personal Data Protection Office points out that the application of these regulations will involve the use of IT tools, including artificial intelligence. This creates the need to ensure appropriate oversight of these processes and entails risks to individuals’ rights and freedoms, including their privacy. He recalled that the Court of Justice of the European Union (CJEU) has previously addressed issues related to personal data processing in public registers in the context of limiting public authority. The Court has also considered the issue of linking data obtained from various databases within public registers and the concept and role of the data controller.

In the view of the President of the Personal Data Protection Office, proper implementation of the new regulations requires a review of public registers — both in terms of their legal basis and their substantive content. Only such an inventory will allow for an assessment of the legal provisions under which the registers operate.

The President of the Personal Data Protection Office draws attention in particular to:

 

  • identifying and properly assigning roles in data processing processes for the entities operating the registers,
    • assessing the personal data contained in public registers in terms of their actual necessity,
    • evaluating the role of entities and bodies involved in the processing of personal data in public registers, including how the registers are populated and the rules for using the data they contain,
    • assessing the adopted model of data transparency in public registers, especially regarding the public disclosure of PESEL numbers,
    • evaluating the solutions adopted in some public registers concerning access to data, data exchange, use by other controllers, and so-called teletransmission,
    • assessing the impact of EU legal acts on public registers.

In designing and shaping the content of regulations as well as data processing methods, it is equally important to:

  • prepare data protection impact assessments during the design of public registers,
  • ensure data protection by design and by default in the development of public registers,
  • clarify data retention rules,
  • establish rules for automated decision-making, including profiling and the use of artificial intelligence,
  • ensure the security, accuracy, confidentiality, and integrity of personal data during the operation of public registers, including in situations involving threats to state security.

According to the President of the Personal Data Protection Office, the current international situation requires viewing the security of personal data processed in public registers through the lens of threats to the state and national security in its various dimensions, which must be approached comprehensively. Public registers in which personal data of both citizens and other individuals residing in Poland are processed constitute a key element of state security. The protection of these data is therefore driven not only by threats to individual privacy but also by significant risks in the area of national defense for both Poland and the European Union. These risks are not limited to cyberthreats but relate to a full spectrum of activities involving the illegal processing of personal data.

Details of the UODO President’s communication to the Minister of Digital Affairs can be found in the document attached below.

 

phone
Infoline (in Polish) UODO 606-950-000 Operates on weekdays from: 10:00-14:00
© UODO 2018 - 2025
Copyright.
Urząd Ochrony Danych Osobowych
map pin ul. Stanisława Moniuszki 1A, 00-014 Warszawa
envelope kancelaria@uodo.gov.pl
clock Working hours of the office: 8 a.m. – 4 p.m.
© UODO 2018 - 2025
Copyright.