Ikonka home dla okruszków News and events
photo
20.08.2025

Regulations on operational surveillance by the Police require amendments

The regulations governing the use of operational surveillance by the Police require amendment, as they do not ensure effective protection of the right to privacy and the right to the protection of personal data in accordance with the case law of the Court of Justice of the European Union (CJEU). This follows from the judgment of the CJEU of 4 October 2024 in case C-548/21, CG v Bezirkshauptmannschaft Landeck.

In this matter, Agnieszka Grzelak, Deputy President of the Personal Data Protection Office addressed a letter to Marcin Kierwiński, Minister of Internal Affairs and Administration.

The Court held that when the Police seize a phone and use it to obtain information contained therein, including personal data, this constitutes the processing of personal data within the meaning of Article 3(2) of the Law Enforcement Directive 2016/680, even if, for technical reasons, the Police in that particular situation do not actually gain access to such data.

The Court emphasized that access to all data stored on a mobile phone may constitute a serious interference with the fundamental rights of the data subject. Data obtained in this way may include messages, photos, and internet browsing history, which in a given case may allow for highly precise conclusions to be drawn about the person’s private life. The processed personal data may also belong to special categories, such as data on health status, sexual orientation, or political beliefs.

The Court found that Article 4(1)(c) of Directive 2016/680, in conjunction with Articles 7, 8 and 52(1) of the Charter of Fundamental Rights of the European Union, does not preclude national legislation granting competent authorities the ability to access data stored on a mobile phone for the purposes of preventing, detecting, and prosecuting criminal offences, provided that this process is properly regulated by law, which:

  • defines with sufficient precision the nature or categories of crimes concerned,
  • contains safeguards ensuring respect for the principle of proportionality, and
  • makes such access subject, except in duly justified urgent cases, to prior review by a court or an independent administrative authority.

 

This judgment implies that the model of operational surveillance provided for in Article 19 of the Police Act does not meet the standards of protection of the right to privacy and the right to the protection of personal data established in CJEU case law. These regulations do not provide appropriate safeguards for the right to privacy. They also fail to ensure proper judicial review, since the Act currently does not require a court to justify its decision authorizing surveillance. This may result in judicial oversight remaining illusory from the perspective of the data subject.

Moreover, Polish legislation does not provide for the possibility of notifying a person subjected to operational surveillance, nor does it provide the possibility of filing an appeal. Additional concerns also arise from the catalogue of offences which may form the basis for carrying out operational surveillance.

In light of the above, and following an analysis of the CJEU judgment in case C-548/21, the President of the Personal Data Protection Office considers it necessary to urgently undertake legislative measures to ensure effective protection of the right to privacy and the right to the protection of personal data with respect to the regulations governing operational surveillance by the Police.

DPNT.413.12.2025

 

phone
Infoline (in Polish) UODO 606-950-000 Operates on weekdays from: 10:00-14:00
© UODO 2018 - 2025
Copyright.
Urząd Ochrony Danych Osobowych
map pin ul. Stanisława Moniuszki 1A, 00-014 Warszawa
envelope kancelaria@uodo.gov.pl
clock Working hours of the office: 8 a.m. – 4 p.m.
© UODO 2018 - 2025
Copyright.