Personal data cannot be disclosed with impunity

It is about posts on X, in which users using the names: @DorotaKania2, @Jan_Pinski, and @KoneserUS17 published data from the passport questionnaires of prosecutor Ewa Wrzosek, former minister and current member of the European Parliament Mariusz Kaminski, 19th term Sejm member Marek Jakubiak, as well as Mariusz Kaminski's mother and the mother of current Justice Minister Adam Bodnar.

This is a crime under Article 107(1) of the Act on the Protection of Personal Data (“Any person who processes personal data, although processing thereof is not permitted, or is not authorized to process them, shall be subject to a fine, restriction of personal liberty or imprisonment for up two years.”).

The entries included names, maiden names, dates of birth, personal identification numbers (PESEL numbers), residential addresses, marital status, citizenship, education, membership in political organisations, parents' names, then-identity card numbers and lists of distinguishing marks and places of legal domicile, as well as data on spouses.

Some of the people whose data have been disclosed in the manner described above perform public functions, so their personal information to a certain extent (name and surname) is public (constitutes public information). However, the rest of the information belongs to the sphere of their privacy.

The range of personal data made available uniquely identifies the data subjects, creating a risk to the rights or freedoms of these individuals. Access to these data by unauthorised persons may give rise to the risk of, for example, identity theft or forgery, financial loss, damage to reputation or loss of confidentiality of personal data. In the situation of data that relate to certain public officials, these actions have also created a risk to their security (as in the case of Ms. Prosecutor). These actions appear to be particularly socially harmful and deserve a response from the relevant law enforcement authorities. This is an action that not only violates the privacy of such individuals in an unprecedented way, but, above all, raises the risk of violating the elementary interests of their lives and those of their families, such as possible acts of violence and aggression against life and health.

The President of the Personal Data Protection Office, Mirosław Wróblewski, reminds that according to the GDPR (Art. 5(1)(a) and (c)), personal data must be: processed lawfully, fairly and in a manner transparent to the data subject (‘lawfulness, fairness and transparency’); and furthermore: adequate, relevant and limited to what is necessary for the purposes for which they are processed (‘data minimisation’).

In turn, pursuant to Article 6(1) of the GDPR, processing is lawful only if, and to the extent that, one or more of the following conditions are met:

- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; processing is necessary for compliance with a legal obligation to which the controller is subject

- processing is necessary in order to protect the vital interests of the data subject or of another natural person; processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.