On 3 April 2019 the President of Poland signed into law the GDPR Implementation Act (full name: Act Amending Certain Acts to Ensure Application of the General Data Protection Regulation). Among several issues addressed controversially in the GDPR Implementation Act are the requirement to express consent to profiling and the catalogue of types of personal data that may be processed by suppliers of online services. This catalogue is set forth in Art. 18(1) of the Electronic Services Act. The original draft of the GDPR Implementation Act provided for repeal of that section, but during the course of legislative work on the act it was decided to leave the catalogue in place. This solution may conflict with the GDPR.
Can the full catalogue of data under Art. 18(1) be processed in every case?
Under Art. 18(1) of the Electronic Services Act, a provider of electronic services may process a range of personal data necessary for conclusion, establishment of the terms, amendment or termination of the contract, including e.g. the user’s PESEL personal identity number, registered place of residence, and mailing address. In turn, Art. 5(1)(c) GDPR provides that personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” This is the principle of “data minimisation,” under which in each case the data controller should decide what data should be processed in the specific instance. Expressly listing in the Electronic Services Act a catalogue of data that may be processed thus appears inconsistent with the data minimisation principle and may lead to processing of excessive data, relying on the act as a regulation releasing the data controller from the need to make a determination of what data are essential for processing in the given case.
To avoid doubts in the event of an inspection of personal data processing, the optimal solution would appear to be to comply with the principle of data minimisation in each instance of delivery of services online, and thus, for example, refraining from processing a user’s PESEL number if is it not justified by the nature of the service provider’s business.
Profiling based on consent is also problematic
Under the new Art. 18(4) of the Electronic Services Act (introduced via the GDPR Implementation Act), the service provider may process other data concerning the customer not essential for electronic delivery of the service, at the customer’s consent, for purposes of advertising, market research, and research on the behaviours and preferences of customers, where the results of the research will be used for improving the quality of the services delivered by the provider. In practice this means that entities wishing to conduct profiling, e.g. for tailoring ads and market research, must obtain the customer’s consent. The problem is that this is regulated more restrictively than in the GDPR, which permits profiling also under grounds other than the consent of the data subject, e.g. based on a legitimate interest pursued by the data controller, so long as the profiling does not result in automated decision-making. However, under the new Art. 18(4) of the Electronic Services Act, it is irrelevant whether automated decisions will be made; consent is always required. Moreover, Poland’s Personal Data Protection Office takes the view that such consent must be explicit.
In this regard, the GDPR Implementation Act has two serious consequences. First, providers of online services which have already made changes in the protection of personal data they process, based on the assumption under the GDPR that consent to profiling is not always required, will now need to change this approach, which could generate serious costs for them to re-evaluate the legal compliance of their internal procedures. Second, customers of electronic services may look forward to a flood of emails and popup windows requesting consent to profiling, which users are unlikely to greet with enthusiasm.