Following the Polish Supreme Administrative Court’s judgment, controllers of personal data are obliged to delete specific personal data from back-up copies when the “original” data is deleted from a data filing system.
In 2005 Bank S (“Bank”) offered Mr X a credit card. In order to process the credit card application, the Bank acquired from Mr X his first and last name, birth date, mother’s maiden name, identification card number, national identification number (PESEL), passport number, home address and information about Mr X’s financial situation. The Bank then performed a credit scoring. The outcome was that Mr X was judged too old to become a credit card holder.
After receiving the negative decision, Mr X asked Bank to return the forms with his personal data. Bank rejected his request and informed him that his personal data had been deleted from its IT system.
Mr X was not satisfied and complained to the Polish Data Protection Authority (“GIODO”). Based on Mr X’s complaint GIODO started administrative proceedings in order to establish the circumstances of the case.
During the proceedings the Bank explained that (1) Mr X’s personal data had been deleted from the data filing system; and (2) the Bank did not process Mr X’s personal data in the IT system. The Bank also said that it was storing Mr X’s personal data in the back-up copies for archiving purposes and its operational security. The Bank claimed that it was obliged to maintain back-up copies in accordance with Recommendation D of the Polish Financial Supervision Authority for operational security of Bank.
The Bank also argued that the purpose of holding the back up copies was to make and retain a copy of IT system and all data filing systems as at the date of making such copy. So the Bank could not change or delete the back-up copies – they were protected from modifications and destruction.
Taking the above into consideration, GIODO decided that Bank was obliged to delete Mr X’s personal data from the back-up copies. GIODO provided the following reasons for its decision:
- The personal data was collected for the purpose of (i) Mr X’s credit scoring; and (ii) concluding a credit agreement with him (processing of the data was necessary prior to entering into a contract).
- No credit agreement was reached, so processing of the data was no longer necessary. The Bank did not collect personal data for archiving purposes and operational security, therefore it not longer had a legitimate interest as a data controller to hold the data. It is unlawful to process personal data for any purpose other then the one for which the data was collected.
- GIODO did not accept the Bank’s argument based on Recommendation D as, even though it was issued by the Polish Financial Supervision Authority, does not form part of common law and hence is not binding.
- As there was no further legitimate ground for possessing Mr X’s personal data the Bank should have deleted Mr X’s personal data from the IT system including the back-up copies.
- GIODO stated that personal data possession in back-up copies in a situation when the data filing system no longer contained the data is also contrary to the purpose for which back-up copies are created. Back-up copies should reflect the up-to-date state of the relevant data filing system.
- GIODO gave guidance to data controllers stating that IT systems are just tools that can be used for personal data processing. IT systems should be implemented and used in a way which allows data controllers to process personal data in compliance with the relevant personal data protection rules.
Thus, IT systems should be compliant with the relevant legal provisions and not the other way around.
The judgments of the Courts
- The Administrative Court upheld GIODO’s decision. The Court stated that the idea of making back-up copies is to secure the personal data against any loss, damage, or destruction. For this reason if personal data is no longer in the relevant data filing system, there is no legitimate ground for keeping it in back-up copies.
- The Polish Supreme Administrative Court dismissed the Bank’s appeal. The Court emphasised that when there is no legitimate ground for personal data possession, personal data should be deleted from the relevant data filing system. According to the Polish Data Protection Act a data filing system is any set of personal data which is available based on certain criteria even if it is functionally divided. Data filing systems and back-up copies can be considered as one functionally divided data filing system. Therefore, deleting personal data from a data filing system means deleting it from both the data filing system and any back-up copies.
- Based on the Polish Supreme Administrative Court ruling, all data controllers, (not just banks), are obliged to delete personal data from their data filing system (including back-up copies) when there are no legitimate grounds for holding personal data.
- When the “original” personal data has been deleted possessing personal data in back-up copies is unlawful.
- According to the Polish Data Protection Act such possessing constitutes an offence. Data controllers may face criminal liability consisting of either a fine or imprisonment of up to 2 years. Every data controller may be ordered by GIODO to delete specific personal data from back-up copies.
- GIODO decided that the Bank could legitimately hold the data for the purpose for which it was originally collected. If it was originally collected for entering into credit contract, it could not have been collected for archiving and operational security of the bank – so there was no ground for possessing the personal data in back-up copies.
- It may be that the personal data can be held in back-up copies as long as there is at least one legitimate ground for personal data possession. Personal data may be held for the purpose it was originally collected, or for any other legitimate purpose, provided that it is not contrary to the original purpose of collection.
- Perhaps GIODO should have examined whether the Bank was possessing the personal in back-up copies for the purpose of legitimate interest of the data controller - i.e. for a situation in which Mr X would want to complain to the Polish Financial Supervision Authority for unlawful refusal of granting him a credit.
- Notwithstanding the above, both courts confirmed that, regardless of any technical difficulties, specific personal data must be deleted from back-up copies.
- From the controller’s perspective this ruling may be difficult and expensive to implement. It should result in the making/updating of back-up copies on a daily basis. It is also uncertain whether the data controller may hold personal data in the data filing system and/or back-up copies once there is no purpose for which personal data was collected, but where there is other lawful purpose that is not contrary to the initial one.