Reform Of Protection Of Personal Data System - Purpose, Tools - Joanna Taczkowska-Olszewska

Kup ebooka

28.17 zł
23.10 zł (23,10 zł najniższa cena z 30 dni)

-
Proszę czekać

Recenzja

prof. dr hab. Grzegorz Tylec

prof. dr hab. Michał Domagała

Redaktor prowadzący

Paulina Wiśniewska

Korekta

Anna Surendra, Sebastian Surendra

Projekt okładki

Studio Graficzne SILVA RERUM

Skład komputerowy

Munda Maciej Torz

Zdjęcie na okładce

Depositphotos

Prawa autorskie

Yakobchuk

? 2018 by Joanna Taczkowska-Olszewska, Monika Nowikowska, Agnieszka Brzostek

? 2018 by Wydawnictwo Naukowe SILVA RERUM

All rights reserved

ISBN

978-83-65697-28-8 /druk/

978-83-65697-29-5 /e-book/

Wydanie I: Wydawnictwo Naukowe SILVA RERUM

www.wydawnictwo-silvarerum.eu

Poznań 2018

Skład ukończono w 2018

CONTENTS

Joanna Taczkowska-Olszewska

Proprietary and non-proprietary nature of the right (to the protection) of personal data in the light of provisions reforming the personal data protection system in the EU

Lucyna Szot PhD

Protection of personal data in the context of the right to be forgotten

Maria Łoszewska-Ołowska PhD

Ban on the publication of personal data of suspected and accused persons vs. The act to protect such data

Małgorzata Polkowska PhD,

Safety of information. Pnr in civil aviation

Dariusz Nowak PhD

The specificity of personal data protection

Agnieszka Brzostek PhD

Processing of personal data by public authorities as part of administrative proceedings

Monika Nowikowska PhD

Protection of personal data in audit documents

Filip Radoniewicz PhD

Identity theft in the polish criminal code

Piotr Milik

Protection of the secret of entrepreneurs running economic activities in the armament sector (special trade)

Joanna Taczkowska-Olszewska

PhD, Professor at the War Studies University

Proprietary and non-proprietary nature of the right (TO THE PROTECTION) OF PERSONAL DATA IN THE LIGHT OF PROVISIONS REFORMING THE PERSONAL DATA PROTECTION SYSTEM IN THE EU

The 24 May 2016 entry into force of Regulation (EU) 2016/679 of 27 April 2016 (General Data Protection Regulation, hereinafter the GDPR)1, which, pursuant to article 99 clause 2, will become effective in all EU Member States from 25 May 20182, signifies replacement of 28 national legislations by a single European set of legal provisions governing how personal information should be protected. It should be noted that the adoption of the GDPR means assigning supervision of cross-border3 data processing operations to a single body and ensuring a harmonised interpretation for the provisions of the Regulation, which results from the fact that EU authorities seem to have noticed the need to bolster confidence in digital services and improve their security as part of implementing the digital single market strategy. The GDPR has replaced former Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which is repealed subject to article 94 clauses 1 and 2 of the Regulation with effect from 25 May 2018. The abrogation and replacement of Directive 95/46/EC by the GDPR may imply the EU legislators' determination, as they have not only confined themselves to the rearrangement and refreshing of personal data protection policies throughout EU Member States, but have also decided to assume the role of the creator and auditor of this activity in Member States, which involves rulemaking and application of laws regarding personal data protection.

Changing the nature of the regulatory enactment by replacing the Directive with the Regulation means that the domain of personal data processing is placed under the legislative competence of EU authorities. Therefore, whereas the EU legislators' interference with this activity of the state was limited due to the type of the Directive as a non-legislative enactment, the replacement thereof by the Regulation has caused that the provisions of the latter can be neither implemented in national law nor even interpreted by national legislators, and only in the situations described in the Regulation (recital 8 of the GDPR)4 it may be possible for national legislators to clarify more specifically or narrow down some individual provisions of the GDPR. Pursuant to article 288 of the Treaty on the Functioning of the European Union5, the Directive was only binding on those Member States for which it was intended and only to a limited extent, i.e. with regard to the result to be achieved, leaving national authorities the liberty of choosing the form and means. The Regulation, however, is generally applicable, totally binding and directly enforceable in all Member States6. Once the GDPR enters into force, the role of national legislators is going to be limited, and namely to the mere guaranteeing and supervising the applicability of the GDPR7. The direct applicability of a EU regulation means that it can be carried into effect and enforced in favour of or against its addressees regardless of any adjustment measures whatsoever (...). It is true that, in case of any interpretation difficulties, a national administration may be forced to adopt some detailed rules on how to apply a EU regulation so that any doubts raised could be explained, but it may do so only insofar as such rules comply with the relevant provisions of EU law, with no binding rules on interpretation being allowed to be imposed by national authorities8.

At the same time, the EU legislators strongly argue that EU Member States are not able to sufficiently achieve on their own the objective of the GDPR implementation to ensure comparable degrees of protection for individuals and the free flow of personal data throughout the Union, which entitles EU authorities to take measures in accordance with the principle of subsidiarity referred to in article 5 of the Treaty on European Union (TEU) (recital 170). Furthermore, the European Commission has been entrusted with executive responsibilities (recital 167), as well as with those stipulated in article 290 TFEU, i.e. the right to adopt generally applicable laws to supplement or amend some insignificant items of legislation (recital 166).

Considering the fact that the EU legislators have not confined themselves to the mere adjustment of the personal data protection solutions that existed so far as required under Directive 95/46/EC9 but instead they have decided to repeal and replace it with the GDPR as well as the extent to which the powers delegated by the GDPR to the European Commission, including those of executive and constitutive nature, have been expanded, some fundamental change must have occurred in the field of personal data protection. It is reflected not only in the solutions, institutions and tools used in the GDPR, but above all in the newly adopted philosophy of personal data protection and the redefinition of its goals. At the same time, such changes must affect the way in which concepts such as data protection and the right to the protection of personal data are defined, for not only the notion of personal data becomes central, but also that of data, which comprises data that cannot be used to identify the person it relates to.

It is not without significance that the GDPR is one of the legal acts supposed to reform the personal data protection policy as part of the EU digital single market.10

As indicated in its wording, the e-Privacy Regulation is a lexspecialis to the GDPR, since it refines the GDPR with more details and inclusion of electronic communication data that can be classified as personal. Consequently, this means that the GDPR comprises only those aspects of personal data processing which are not directly referred to in the e-Privacy Regulation11. The decision to replace the Directive with the Regulation is justified by the goal of ensuring consistency with the GDPR and the need to guarantee legal certainty for users and companies and prevent any discrepancies in interpretation across Member States.12 As observed by X Konarski, the e-Privacy Regulation implements, though EU secondary legislation13, the fundamental right stipulated in article 7 of the Charter of Fundamental Rights of the European Union (CFR)14, which covers both electronic communication data, i.e. the contents of messages transmitted by end users (content data)15 and related metadata16, as well as data emitted by terminal equipment.17

The bundle of new solutions also includes the Regulation on a framework for the free flow of non-personal data in the European Union18, which, similar to the e-Privacy Regulation, is still in the pipeline. The solutions contained in this document are intended to ensure the free flow of data19 other than personal throughout the European Union by enacting regulations to impose the requirements for data localisation, data accessibility to competent authorities and the transfer of data by professional users (article 1 of the draft Non-Personal Data Regulation). Professional users are understood to be natural or legal persons, including public sector entities, using or requesting a data storage or other processing service for purposes related to their trade, business, craft, profession or task (article 3 clause 8 of the draft Non-Personal Data Regulation). Although the drafter makes it clear that the Non-Personal Data Regulation only relates to electronic data other than personal and accordingly does not affect the EU legal framework for personal data protection as outlined in the GDPR, it should be noted that, pursuant to article 13 clause 1 of the draft, this stipulation applies only to personal data in the narrow meaning of this term defined in article 4 item 1 of the GDPR.20

Even if you assume that the solutions defined in the draft Non-Personal Data Regulation will not apply to the data that can be used to identify the person it relates to, the Regulation will still include data generated by pseudonymisation. In the end, the conclusion reached in the draft Non-Personal Data Regulation does not completely exclude the applicability of its provisions with regard to data that has lost its personal nature and entered legal use. It is indicated in the literature that personal data is featured by the possibility of combining it, or assigning it to the individual it relates to. If information is no longer identifiable, you cannot regard as personal data anymore. In this context, pseudonymised data lies somewhere between anonymous information and personal data, for pseudonymised data cannot be assigned to a specific individual if no additional details, which are stored separately, are available.21

The right to the protection of personal data is regarded by legal doctrine and case law as a personal right emanated from the right to privacy and serving the protection of intangible property that cannot be waived or dispensed with.22 Considering the provisions of the GDPR and the solutions developed with the e-Privacy and the Non-Personal Data Regulations, it becomes apparent that two types of protection need to be ensured for personal data as a legal good of especially high value to individuals, i.e. protection that will take into account both the proprietary and non-proprietary natures of rights the subjects of such data have. It has been noted in the literature that the basic structures of laws supposed to introduce general, comprehensive frameworks for personal data protection oscillate between two models. The first one, described as a licensing model, makes the use of personal data dependant on taking permission from a government authority. The second model is based on the assumption that a sort of subjective right exists to dispose of one's own data.23 In the personal data protection system adopted in the EU, the latter applies. At the same time, considering that personal data, especially if pseudonymised, has achieved an autonomous status of property, having a determinable and verifiable proprietary value attached thereto, it has become necessary to find protection instruments other than those that have be used in relation to privacy protection so far.

As a digital single market is being formed, the existence and development of which is conditioned on access to personal data and the possibility of using it for commercial purposes, omitting the proprietary aspect of the protection of this right for the individuals such data relates to should be regarded as failure to address the need to ensure the balance of rights for economic operators, for if personal and pseudonymised data has any proprietary value, which, considering the priorities of European policy involving the growth of data-driven economy seems indisputable, it should be finally concluded that the catalogue of protective measures available to the individuals such data relates to should be commensurate with the type and nature of legally protected property.

Hence, the observation seems justified that the trade between participants of the digital single market has been entered by both personal data or personal data files and data alone.24 At the same time, however, most such data is the result of pseudonymisation. So, although the definition of personal data has not basically changed, the catalogue of the powers has been modified which make up the subjective right to personal data. Concurrently, this catalogue should meet the demands of enforcing the human rights and liberties enshrined in articles 7 and 8 of the CFR and in article 16 of the TFEU.

So it is not without meaning that the right to personal data protection is classified by the lawmaker as a human right placed in the same title of the CFR where protection is granted to values such as private life (article 7), the freedom of thought, conscience and religion (article 9), the freedom of expression and information (article 11), the freedom of assembly (article 12), the freedom of art and science (article 13) and the right to property (article 17). The right to personal data protection is safeguarded by article 8 clause 1 of the Charter of Fundamental Rights of the European Union25 and article 16 clause 1 of the Treaty on the Functioning of the European Union (TFEU).26 If you assume that the provisions of the CFR and the TFEU are of blanket nature and the details of how personal data should be protected are worked out particularly in the GDPR, it should be concluded that the EU legislators have completely omitted the proprietary aspect of personal data protection, ignoring the fact that personal data is goods which, being intangible and belonging to moral rights, by no means lose their proprietary value. So it is necessary to observe that giving permission to another party by the person data relates to, in particular to an entrepreneur for the use of such a person's data, has an effect comparable to giving (donating) benefits to a third party. In particular giving permission for the use of personal data for marketing purposes means, in fact, that such data may be placed on the market. Processes such as data pseudonymisation and profiling are secondary to giving permission, which legitimates bringing an individual's personal data into circulation.

Granting an individual negative rights, in particular the right to object to data processing (article 21 of the GDPR), the right to rectification (article 16 of the GDPR), the right to erasure (the right to be forgotten - article 17 of the GDPR) and the right to restriction of processing (article 18), should be accompanied not only by confirming that such an individual has also positive rights, but also by associating the scope of such rights and the way in which they can be exercised with the proprietary nature of the personal data as a legally protected good. Although the GDPR provides subjects of personal data with positive powers such as the right to data portability (article 20) and tightens the requirements data administrators have to meet to be allowed to process such data (article 7 of the GDPR), it does not associate the exercise of such powers with receiving any payment therefor by the person personal data relates to. So, on the one hand, which is often stressed in the literature, the EU legislators, when reforming the personal data protection rules, intended to restore for individuals the possibility of exercising actual control over their data27, whereas on the other they assumed that the central and only recital for individuals to exercise the powers assigned thereto in the GDPR would remain the need to protect their personal rights.

The data administrator requested to transfer personal data should do so without undue delay, but not later than within one month of the request.28

The data administrator must not oppose any action an individual can take to move his or her data, in particular when the person such data relates to has previously consented to the processing thereof for one or more specific purposes (article 6 clause 1 letter a of the GDPR) or when his or her data has been used in connection with the performance of an agreement the person such data relates to is party to (article 6 clause 1 letter b of the GDPR). The right to receive and then move data to another data administrator includes not only data that has been directly, deliberately and intentionally provided, but also that resulting from automatic processing. How to interpret the scope of the power indicated in article 20 of the GDPR is explained in recital 68 of the preamble. To further strengthen the control over his or her own data, where the processing of personal data is carried out by automated means, the data subject should also be allowed to receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller. Data controllers should be encouraged to develop interoperable formats that enable data portability. That right should apply where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract. It should not apply where processing is based on a legal ground other than consent or contract.

The exclusion of the power conferred by article 20 concerns processing with a legal basis other than permission or agreement. Due to its nature, this right should not be exercised with regard to data administrators who process personal data as part of their public duties. By its very nature, that right should not be exercised against controllers processing personal data in the exercise of their public duties. It should therefore not apply where the processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller. The data subject's right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible. Where, in a certain set of personal data, more than one data subject is concerned, the right to receive the personal data should be without prejudice to the rights and freedoms of other data subjects in accordance with this Regulation. Furthermore, that right should not prejudice the right of the data subject to obtain the erasure of personal data and the limitations of that right as set out in this Regulation and should, in particular, not imply the erasure of personal data concerning the data subject which have been provided by him or her for the performance of a contract to the extent that and for as long as the personal data are necessary for the performance of that contract. Where technically feasible, the data subject should have the right to have the personal data transmitted directly from one controller to another.

It should be noted that neither the normative provisions of the GDPR, including in particular article 20, nor the related interpretative clause contained in recital 68 of the preamble does exclude that subjects of data can sign separate agreements with data administrators for the use of their structured personal data, which they can freely move between data administrators.29 Signing such an agreement is not opposed by the regulations that make data processing contingent upon the person the data relates to giving his or her permission for that. Therefore, whereas in article 6 of the GDPR the requirements for the applicable statement to be made by the subject of data giving his or her permission are discussed in more detail, the legislators seem to admit that permission for the processing of an individual's personal data can be given against payment and under a mutual agreement between such an individual and the data administrator.

Another issue is the evaluation whether or not the exercise of the individual's right to move his or her personal data by means of signing an agreement for the paid transfer of the rights to his or her personal data, even if it seems allowable from a formal point of view (because it is not forbidden), is also reconcilable with the goals of the GDPR, in particular those indicated in the preamble, i.e. to develop a digital single market and a data-driven economy.

For the GDPR is supposed not only to strengthen the protection of privacy30, but above all to pave the way for economic undertakings the subject and the source of income of which is dealing with personal data. So the GDPR is aimed at determining the substantive and formal premises to enable the balancing of opposing interests, i.e. the right to trade in personal data on the one hand and the protection of privacy understood as the right to the protection of personal data on the other.

The protection of personal data would not need any reform if it were only to confirm the right to the protection of personal data. The reform seems to have become necessary, especially because the existence of legally guaranteed protection was required by a more extensive right, i.e. the right to the protection of personal data, which encompasses not only the individual's right to consent to or oppose the processing of his or her personal data, but also the right to gain economic advantages from trading in such data, to put it on data files and to move it between such data files. Therefore, this right should be understood not only as a set of negative powers, i.e. which entitles the individual to oppose any unauthorised use of his or her personal data, but also as a series of the rights assigned to every natural person to decide about how his or her personal data will be used and disposed of, including in particular the right to be paid for consenting to the use of his or her personal data. At the same time, it should be made clear that, despite the strong belief in the weight and value of personal data protection, the EU legislators have not stipulated in the GDPR solutions that could make the subject of data earn real, including proprietary, benefits from his or her personal data being traded in.

The EU legislators have accurately observed that a new market, i.e. a personal data market, is evolving in the economy, and it is possible to generate high profits on this market, as the manufacturing cost of personal data as a marketed product is zero. Due to the very fact of browsing the Web, every activity of Internet users is a finished product that can be cashed in. So users become unconscious producers of information about themselves and their preferences, thus generating high value goods for the data market.

A thorough review of the GDPR's recitals, which are included in 173 editorial units on 25 pages of text, indicates that the objectives of the reform of personal data protection outlined in the GDPR are hardly identifiable, and definitely cannot be limited to the indication of only one goal, which is most meaningful to the public and involves strengthening of the individual's protection. On the one hand, it has been adopted that 'natural persons should have control of their own personal data' (recital 7), whereas, on the other hand, it has been pointed out to the need of adopting resolutions that will make sure that 'the free flow of personal data in the European Union will not be restricted or forbidden for reasons regarding the protection of natural persons in connection with personal data processing' (recital 13). So one, yet not the only or even the most important, goal of the reform of personal data protection has become 'the introduction of efficient mechanisms to protect our privacy in the world of new technologies, reinforce the rights of citizens and establish a strong body to guard such rights'.31

Indicated in recital 173, the GDPR's main objective is 'to ensure a comparable degree of protection for natural persons and the free flow of personal data throughout the European Union'. It is pointed out that 'the processing of personal data should be designed to serve mankind' (recital 4) and 'the Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons' (recital 2). At the same time, it is decided that 'the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society' (recital 4).32

The solutions used in the Regulation are the effect of the observation expressed in documents previously adopted by EU authorities, whereby the driving force of the EU's economic growth is 'digital data, computation and automation'33 and 'a data-driven economy of the future'34. For already in 2014 the European Commission announced that, before entering the domain of a data-driven economy, a package of solutions had to be adopted to reform the rules of personal data protection, including in particular establishing the rules for the anonymisation, pseudonymisation and minimisation of data and the mechanisms of risk analysis with regard to personal data.35 The Commission noticed, but did not pay much attention to this issue, the need to regulate issues regarding data ownership and the liability associated with the delivery of data, in particular as far as data collected using Internet of Things technology is concerned.36

The EU legislators have not conclusively resolved the issue regarding the nature of the right to (the protection of) personal data. The EU's stance reveals the presence of contradictions, as the EU legislators identify personal data with the individual's personal rights (goods), which, as such, are inalienable and cannot be waived or dispensed with, while attributing proprietary value to personal data and thus allowing trade therein. It remains unclear, however, whether or not the EU legislators confirm the existence of or deny the individual the right to the commercial utilisation of his or her personal data, in particular as far as earning with the individual's right to personal data is concerned. At the same time, the legislators allow for personal data to be traded in where the beneficiary is an entrepreneur who has obtained it from his or her customers or has purchased personal data files as a professional participant of the data market. For the existence of the data-driven economy37 is a fact, and the role of the EU legislators, although it has not been explicitly revealed in the GDPR's recitals, is to put in order and regulate the data market. Participants of the data market, which is sometimes called ecosystem of the data-driven economy38, include manufacturers, researchers and infrastructure providers, who 'can use data to create various applications, which largely facilitate daily life (e.g. traffic control system, file optimisation or remote healthcare)'39.

So the GDPR not only heads towards producing an effect of strengthening the protection of privacy, but, in the first place, it is supposed to create conditions for the development of a data-driven economy. Therefore, the EU legislators are aiming at creating balance between the security and reliability of actions taken by persons whose personal data is processed and the responsibilities performed by professional users40 in connection with the harvesting and processing of personal data and in particular the form and scope of using such data for commercial purposes. However, the assumption underlying the GDPR's provisions that the subject of personal data is not initially entitled to be paid for transferring his or her data and giving permission to the processing thereof seems to be completely incomprehensible. On the one hand, the EU legislators see interest associated with the processing of personal data in the latter becoming a source of income for the economies of individual EU Member States and the economic growth being contingent on the cross-border flow of data41. On the other hand, they hold their view that personal data is a part of privacy and consequently cannot be waived or dispensed with. It should be out of question that personal data has obtained, both actually and legally, the status of goods proprietary in nature, and as such data is in legal use, it should generate for the persons such data relates to both proprietary and non-proprietary rights.

1 Regulation (EU) 2016/679 Of The European Parliament And Of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

2 The European Parliament adopted the GDPR on 27 April 2016, and its wording was published in the Official Journal of the European Union on 4 May 2016. Pursuant to article 99 clause 2, the GDPR became effective on the twentieth day following that of its publication in the Official Journal of the European Union, i.e. on 24 May 2016, and it will become applicable from 25 May 2018 (article 99 clause 2 GDPR).

3 Cross-border data processing is defined in article 4 item 23 of the GDPR (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

4 E Bielak-Jomaa, Ogólne rozporządzenie o ochronie danych. Rewolucja w ochronie danych?, MOP 2017, No. 20, page 3.

5 Treaty on the Functioning of the European Union of 26 October 2012 (OJ C 2012 326, page 47).

6 The essence of EU Regulations is the direct effect thereof, which signifies that it is the rules stipulated in such Regulations that form the legal basis for cases pending before Member State authorities, but not provisions of any national legislation (P Litwiński, J Barta, J Kawecki, Commentary to article 99 of the GDPR [in:] Rozporządzenie UE w sprawie ochrony osób fizycznych w związku z przetwarzaniem danych osobowych i swobodnym przepływem takic danych. Commentary, P Litwiński (ed.), Warsaw 2018). The direct effect of the provisions of EU law means that a party referring to a specific provision of the GDPR is entitled to invoke the applicability there of before any Member State court both in private and public law litigation (Judgment of the European Court of Justice of 27 September 2001 in case C-63/99 the Queen vs the Secretary of the State, ECLI:EU:C:2001:488; Judgment of the European Court of Justice 27 September 2001 in case C-257/99 Barkoci and Malik, ECLI:EU:C:2001:491).

7 When reviewing national legislative bills to prepare the legal system for the implementation of the personal data protection reform, the Inspector General for Personal Data Protection (IGPDP) strongly noted that the submitted bills 'should contain nothing but provisions aimed at preparing the national legal order for the applicability of Regulation 2016/679 and a new Personal Data Protection Act', and accordingly it is not allowable to draft solutions that deviate from those stipulated in the GDPR (IGPDP's comments on the draft Personal Data Protection Act Enforcement Regulations and Personal Data Protection Act attached as Addendum 1 and 2, respectively, to the IGPDP's Letter to the Minister of Digital Affairs of 20 October 2017, http://IGPDP.gov.pl/pl/1520280/10202). At the same time, the Government Centre for Legislation has analysed that the national legislation relating to personal data protection includes some 800 legal acts that, once they have been thoroughly revised, need to be repealed or amended (E Bielak-Jomaa, D Lubasz, Polska i europejska reforma ochrony danych osobowych, E Bielak-Jomaa (ed.), Warsaw 2016, Legalis).

8 Judgment of the European Court of Justice z 31 January 1978, C-94/77, Fratelli ZerboneSnc vs Amministrazione delle finanze dello Stato, ECLI:EU:C:1978:17, quoted in: K Morawska, Rola oraz status..., Warsaw 2017, Legalis.

9 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23/11/1995 P. 0031 - 0050).

10 The Directive repels Framework Decision 2008/977/JHA of the Council. The Regulation is going to replace existing Directive 95/46/EC.

11 Item 1.2 of the draft e-Privacy Regulation.

12 Ibidem, item. 2.4

13 In X Konarski's opinion, the most substantial change brought about by the E-Privacy Regulation is its inclusion of a wide range of interpersonal communication services (the use of mobile devices), which was not regulated in Directive 2002/58 so far, as well as machine-to-machine communications (Internet of Things), which involves the processing of data on the users of various types of intelligent devices (see X Konarski, Rozporządzenie o e-Prywatności jako regulacja sektorowa względem ogólnego rozporządzenia o ochronie danych osobowych (RODO), (MoP supplement 20/2017), MOP 2017, No. 20, page 6).

14 As set out in article 7 of the CFR.

15 As defined in article 4 clause 3b of the draft e-Privacy Regulation.

16 As defined in article 4 clause 3c of the draft e-Privacy Regulation.

17 This term relates to information stored on end user terminals and relating to such terminals (article 8 of the draft e-Privacy Regulation).

18 Draft Regulation of the European Parliament and of the Council on a framework for the free flow of non-personal data in the European Union, COM(2017) 495 final 13 September 2017, http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX:52017PC0495, hereinafter the Draft Non-Personal Data Regulation.

19 The draft stresses that it is consistent with existing legal instruments, in particular it complies with the Electronic Commerce Directive (Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the internal market (Electronic Commerce Directive) (OJ L 178 of 17 July 2000, page 1), which is supposed to create a comprehensive and efficient single EU market for a broader category of information society services, and the Directive on services in the internal market (Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market (OJ L 376 of 27 December 2006, page 36), which helps deepen a single EU services market in certain sectors (Regulation of the European Parliament and of the Council on a framework for the free flow of non-personal data in the European Union, COM(2017) 495 final, of 132 September 2017, http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX:52017PC0495).

20 The proposed definition resolves discrepancies between legal systems of EU Member States as far as the term 'personal data' is concerned, as well as dispels any doubts about the interpretation of how to determine the meaning of the expression 'identifiable person' and the premises indicating the 'possibility' of identifying the person personal data relates to. The EU legislators have left an open catalogue of premises enabling to ascertain that a person is identifiable, which in consequence means that the proposed definition is open-ended and allows a broad interpretation of personal data.

21 Commentary to article 4 GDPR [in:] Rozporządzenie (UE) w sprawie ochrony osób fizycznych w związku z przetwarzaniem danych osobowych i swobodnym przepływem takich danych. Commentary, P Litwiński (ed.), Warsaw 2018.

22 It is indicated in the literature that personal data protection is one of the key aspects of the right to privacy (see M Krzysztofek, Ochrona danych osobowych w Unii Europejskiej, Warsaw 2014, page 36 et seq.). J Barta and R Markiewicz point out that such approach to personal data protection is also adopted in national and international regulations (seeJ Barta, R Markiewicz, Ochrona danych osobowych. Komentarz, Cracow 2007, page 116).

23 J Barta, R Markiewicz, Ochrona danych osobowych. Komentarz, Cracow 2007, page 54.

24 The notion of data is defined negatively, for it is termed as 'data other than personal data referred to in article 4 item 1 of Regulation (EU) No. 2016/679' (article 3 clause 1 of the draft Non-Personal Data Regulation).

25 Charter of Fundamental Rights of the European Union of 30 March 2010 (OJ C 2010 83, page 389, hereinafter the CFR).

26 Treaty on the Functioning of the European Union of 26 October 2012 (OJ C 2012 326, page 47, hereinafter the TFEU).

27 K Morawska, Rola oraz status...,Warsaw 2017, Lergalis.

28 In complicated cases, the one month's period for delivery of data to the applicant can be extended to a maximum of three months provided that the person such data relates to is, within one month of the original request, notified of the reasons for such a delay (see P Liwiński, Komentarz do art. 20 RODO [in:] Rozporządzenie (UE) w sprawie ochrony osób fizycznych w związku z przetwarzaniem danych osobowych i swobodnym przepływem takich danych. Komentarz, P Liwiński (ed.), Warsaw 2018.

29 Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

30 In the literature it is usually stressed that the GDPR 'is supposed to eliminate any differences in the degree of right protection for rights, which may arise in this respect from the enforcement of the Directive, as well as to avoid fragmentation, legal uncertainty and the popularisation of the belief that the protection of natural persons is substantially threatened, especially in the Internet' (see K Morawska, Rola oraz status prawny motywów preambuły ogólnego rozporządzenia o ochronie danych - klucz do wykładni przepisów nowego prawa unijnego [in:] Ogólne rozporządzenie o ochronie danych osobowych. Wybrane zagadnienia, M Kawecki, T Osiej (ed.), Warsaw 2017, Legalis.

31 The IGPDP's comments on the draft of new regulations on the protection of personal data, http://IGPDP.gov.pl/pl/1520280/10202 (accessed on 9 January 2017).

32 It should be noted here that the preamble is not normative in nature and cannot be referred to as a basis for deviations from the provisions of any act (see Judgment of the European Court of Justice of 19 November 1998 in case C-162/97, Legalis, criminal proceedings against Gunnar Nilsson, Per Olov Hagelgren and Solweig Arrborn, ECLI:EU:C:1998:554, item 54), for the preamble contains reference to the purpose of the legal regulation, which indicates its assumptions and ideological foundations (see K Morawska, Rola oraz status..., Warsaw 2017, Legalis).

33 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions (COM/2014/0442 final) http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=celex:52014DC0442. On EUR-LEX pages the commentary was described as 'a strategic document containing ideas for the use of data by EU Member States in a way beneficial to their economies' (http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=LEGISSUM:3102_2).

34 Ibidem, page 2.

35 Ibidem, page 14.

36 Ibidem, page 16

37 The definition of a data-driven economy is quoted in the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions 'Building a European Data Economy' (COM/2017/09 final) of 10 January 2017; http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=COM:2017:9:FIN. According to that definition, the data economy measures the overall impacts of the data market, i.e. the marketplace where digital data is exchanged as products or services derived from raw data, on the economy as a whole. It involves the generation, collection, storage, processing, distribution, analysis, elaboration, delivery, and exploitation of data enabled by digital technologies (European Data Market study, SMART 2013/0063, IDC, 2016). In 2014 the EU data-driven economy was estimated at ?257 billion, i.e. 1.85% of the EU GDP (European Data Market study, SMART 2013/0063, IDC, 2016). In 2015 this figure rose up to ?272 billion, i.e. 1.87% of the EU GDP (5.6% increase compared with the previous year). According to the same forecast, if a framework for the functioning of a data-driven economy is created within an appropriate timeframe, in 2020 its value will increase up to ?643 billion, i.e. 3.17% of the European Union's total GDP (Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions 'Building a European Data Economy' (COM/2017/09 final) of 10 January 2017; http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=COM:2017:9:FIN.

38 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions 'Building a European Data Economy' (COM/2017/09 final) of 10 January 2017; http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=COM:2017:9:FIN.

39 Ibidem.

40 Article 3 clause 8 of the draft Non-Personal Data Regulation.

41 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions (COM/2014/0442 final) http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=celex:52014DC0442.

42 S Hoc, T Szewc, Ochrona danych osobowych i informacji niejawnych, Warsaw 2014, page 10.

43 A Drozd, Zakres zakazu przetwarzania danych osobowych, PiP 2003, issue 2, page 48.

44 M Krzysztofek, Ochrona danych osobowych w Unii Europejskiej, Wolters Kluwer, Warsaw 2014, page 155.

45 The case law of Argentinian and Swiss courts as well as of the European Court of Human Rights regarding the right to be forgotten was gathered and presented in the Master's thesis titled The Right to Be Forgotten as an Instrument to Protect the Right to Privacy, Krzysztof Żołyński, op. cit., pages 50-54.

46 S Frankel, D Gervais, The Evolution and Equilibrium of Copyright in the Digital Age, Cambridge University Press 2014, page 187.

47 V Sreeharsha, Google and Yahoo Win Appeal in Argentina Case, New York Times, 20 August 2010.

48 F Werro, The Right to Inform v. the Right to be Forgotten: A Transatlantic Clash, Centre for Transnational Legal Studies Colloquium, Research Paper No. 2 May 2009, page 290.

49 L Siry, S Schmitz, A Right to be Forgotten? - How Recent Developments in Germany May Effect The Internet Publisher in the US, European Journal of Law and Technology, Vol. 3, No. 1, 2012, page 3.

50 A H Stuart, Google Search Results: Buried If Not Forgotten, North Carolina, Journal of Law & Technology, Volume 15, Issue 3, Spring 2014, pages 480-481.

51 Regulation directly applicable in national legal systems since 25 May 2018 for all those who process personal data as part of their business activities.

52 What is of critical importance to entrepreneurs is to define the maximum penalty for infringing applicable laws, which penalty can amount to even ?20,000,000 or 4% of the entrepreneur's total annual worldwide turnover in the financial year preceding the infringement.

53 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, EC OJ L 281 of 23 November 1995.

54 I Stupariu, Defining the Right to be Forgotten. A Comparative Analysis between the EU and the US, LLM Short Thesis, Central European University 2015, page 31.

55 The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), published on 4 May 2016 in EC Official Journal L 119; pursuant to article 99 of the General Regulation, it becomes effective twenty days after its publication in the EC Official Journal and will be remain in force until 25 May 2018.

56 M Krzysztofek, Prawo do bycia zapomnianym i inne aspekty prawa prywatności w epoce Internetu w prawie UE, Europejski Przegląd Sądowy, August 2012, No. 2, page 29.

57 http://eur-lex.europa.eu/legal-content/PL/TXT/PDF/?uri=CELEX:31995L0046&from=pl

58 K Żołyński, op. cit., pages 57-59

59 Ruling of the European Court of Justice of 13 May 2014 in case C 131/12 Google Spain i Google Inc., page 7.

60 Directive 95/46/EC on the protection of personal data.

61 M Krzysztofek, Ochrona danych osobowych w Unii Europejskiej, Wolters Kluwer, Warsaw 2014, page 165.

62 Google Spain SL v. Agencia Espa?ola de Protección de Datos. Court of Justice of the European Union Creates Presumption that Google Must Remove Links to Personal Data upon Request. http://harvardlawreview.org/2014/12/google-spain-sl-v-agncia-espanola-de-proteccion-de-datos/

63 Press release No. 70/14 of the European Court of Justice, Luxembourg 13 May 2014 http://curia.europa.eu/jems/upload/docs/application/pdf/2014-05/cp140070pl.pdf

64 M Czerniawski, Commentary to the ruling of the Court of Justice of 13 May 2014, C-131/12, LEX/el.

65 M Kręcisz, Commentary to the ruling of the Court of Justice of 13 May 2014, C-131/12, LEX/el.

66 Ł Goździaszek, Prawo do bycia zapomnianym w wyszukiwarce internetowej - glosa do wyroku Trybunału Sprawiedliwości z dnia 13 maja 2014 r. w sprawie C 131/12 Google Spain i Google Inc. przeciwko Agencia de Proteccion de Datos (AEPD) i Mario Costeja Gonzalez, Europejski Przegląd Sądowy, No. 2, 2015, page 43.

67 The potential introduction of the right to be forgotten in the United States is arguable. Reasons for that include the sceptical approach to the described concept in the US, as well as a significantly different understanding of privacy and its relation to other personality rights, such as freedom of speech.

68 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) of 4 May 2016, EU OJ L 119.

69 M Krzysztofek, "Prawo do bycia zapomnianym" i inne aspekty prywatności w epoce Internetu w prawie UE, Europejski Przegląd Sądowy 2012, No. 8, page 34.

70 M Piech, Wyszukiwarka jako administrator danych osobowych w kontekście wyroku Trybunału Sprawiedliwości z 13.05.2014 r. w sprawie C-131/12 Google Spain SL i Google Inc. przeciwko Agencia de Proteccion de Datos (AEPD) i Mario Costeja Gonzalez - konsekwencje dla pośredników internetowych, Europejski Przegląd Sądowy, No. 2, 2015, page 24.

71 M Śledzikowski, Prawo do bycia zapomnianym w Internecie - nowe standardy ochrony danych osobowych w Unii Europejskiej, Ochrona prywatności w nowych technologiach. Published by the Computer Law Block students' society, Wrocław 2015, page 79.

72 Maria Łoszewska-Ołowska PhD, an Adjunct Professor at the University of Warsaw Faculty of Journalism, Information and Book Studies.

73 Act of 26 January 1984 (Journal of Laws No. 5, item 24, as amended), hereinafter the Press Law.

74 Act of 29 August 1997 (Journal of Laws of 2016, item. 922), hereinafter the Personal Data Protection Act.

75 R Koper, Jawność rozprawy głównej a ochrona prawa do prywatności w procesie karnym, Warsaw 2010, page 383.

76 Op.cit.

77 This provision reads: Except for the provisions of articles 14-19 and article 36 clause 1, the Act shall not be applicable either to any journalistic activities as defined in the Press Law Act of 26 January 1984 (Journal of Laws No. 5, item 24, as amended) as well as to any literary or artistic activities unless freedom to express opinions and communicate information grossly violates the rights and liberties of the person such information pertains to.

78 J Barta, P Fajgielski, R Markiewicz, Ochrona danych osobowych. Komentarz, Cracow 2007, page 332.

79 Op.cit., page 334.

80 For more information on the said journalist'sprivilege, see, amongotherthings, M Sakowska, A Młynarska-Sobaczewska, Klauzula prasowa z ustawy o ochronie danych osobowych jako gwarancja wolności wypowiedzi, Państwo i Prawo, No. 1 of 2005, pages 68-77.

81 See, amongotherthings, J Barta, M Fajgielski, R Markiewicz, Ochrona danych osobowych..., pages 345-346.

82 So op.cit., pages 351 and 353.

83 Op.cit., page 351.

84 So op.cit., page 352.

85 Op.cit., page 355.

86 R Koper, Jawność rozprawy..., page 385.

87 J Sobczak, Dziennikarz - sprawozdawca sądowy. Prawa i obowiązki, Warsaw 2000, page 171; J Sobczak, Prawo prasowe. Komentarz, Warsaw 2008, page 519.

88 J Barta, R Markiewicz Prawo mediów, Warsaw 2005, page 269.

89 Prawo prasowe. Komentarz, Warsaw 2008, page 115,

90 E Nowińska, Wolność wypowiedzi prasowej, Warsaw 2007, page 94. Seealso A Augustyniak, Prawo prasowe. Komentarz, edited by B Kosmus, G Kuczyński, pages 221-222.

91 Lex No. 394884.

92 Lex No. 424237.

93 So the Supreme Court in its ruling of 6 June 2003 (IV CKN 191/01).

94 Lex No. 62601.

95 So K Włodarska-Dziurzyńska, (in:) Media a dobra osobiste, edited by J Barta, R Markiewicz, Warsaw 2009, pages 253-254.

96 Art. 3. 5 Directive states that PNR means a record of each passenger's travel requirements which contains information necessary to enable reservations to be processed and controlled by the booking and participating air carriers for each journey booked by or on behalf of any person, whether it is contained in reservation systems, departure control systems used to check passengers onto flights, or equivalent systems providing the same functionalities.

97 M. Lis, The authorities will receive the abilities. All information about the air passengers will come to the national base, in: www.money.pl' 20.11.2017,h. 17:45

98 O.J. L 119, 4.5.2016,

99 T. Balcerzak, Safe flight, safe data's In : www.ec. europa.eu, 11-12-2017 17.45

100 Application Programming Interface- an application programming interface (API) is a set of a subroutine definitions, protocols, and tools for building application software.

101 Council Directive 2004/82/WE of 29 April 2004 on the obligation of carriers to communicate passenger data (O.J. L 261 6.8.2004, p. 24).

102 Charter of Fundamental Rights of the European Union (2012/c 326/02) O.J C 326/391 26.10.2012

103 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, ETS No. 108, Strasbourg, 29.01.1981; coe.int

104 European Convention on Human Rights as amended by Protocols 3, 5 i 8 and 2; echr.coe.int

105 Regulation EU Nr 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Members States of the Commission's exercise of implementing Power (O.J. L 55, 28.2.2011, p. 13).

106 The Protocol relating to the Status of Refugees, New York 31 January 1967 r. (Dz. U. 20 December 1991).

107 Council Decision 2009/371/JHA (Justice and Home Affairs Council) of 6 April 2009 establishing the European Police Office (Europol) (O.J L 121, 15.5.2009, p. 37).

108 Council Framework Decision 2006/960/JHA of 18 December 2006 on simplifying the Exchange of information and intelligence between law enforcement authorities of the Member States of the European Union (O.J. L 386, 29.12.2006, p. 89)

109 Directive 2004/38/WE of the European Parliament and of the Council of 29 April 2004 on the right of citizens of the Union and their family members to move and reside freely within the territory of the Member States amending Regulation (EEC) no 1612/68 and repealing Directives 64/221/EEC, 68/360/EEC, 72/194/EEC, 73/148/EEC, 75/34/EEC, 75/35/EEC, 90/364/EEC, 90/365/EEC i 93/96/EEC (O. J. L 158, 30.4.2004, p. 77).

110 'Push method'"-means the method whereby air carriers transfer PNR data listed in Annex I into the database of the authority requesting them;

111 Passenger name record data as far as collected by air carriers: PNR record locator, date of reservation/issue of ticket, Date(s) of intended travel, Name(s), Address and contact information (telephone number, e-mail address), all forms of payment information, including billing address, Complete travel itinerary for specific PNR, frequent flyer information, travel agency/travel agent, travel status of passenger, including confirmations, check-in status, no-show or go-show information, split/divided PNR information, General remarks (including all available information on unaccompanied minors under 18 years, such as name and gender of the minor, age, language(s) spoken, name and contact details of guardian on departure and relationship to the minor, name and contact details of guardian on arrival and relationship to the minor, departure and arrival agent) Ticketing field information, including ticket number, date of ticket issuance and one-way tickets, automated ticket fare quote fields, seat number and other seat information, code share information, all baggage information, Number and other names of travellers on the PNR Any advance passenger information (API) data collected (including the type, number, country of issuance and expiry date of any identity document, nationality, family name, given name, gender, date of birth, airline, flight number, departure date, arrival date, departure port, arrival port, departure time and arrival time). All historical changes to the PNR listed in numbers 1 to 18.

112 "To depersonalize" through masking out of data elements' means to render those data elements which could serve to identify directly the data subject invisible to a user.

113 Directive 95/46/WE of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23/11/1995, p. 31-50

114 O.J L 261 06.08.2004

115 O.J L 215 11.08.2012

116 O.J L186 14.07.2012

117 The justification to the Act Project z 14-11-2017, MSWiA, p. 3

118 From The justification to the project: www. mswia.gov.pl

119 M. Lis, The controversy among the New base of the data's of Polish authorities, Panaptykon: is limiting the basic rights, in: www. money.pl; 2017-11-28 06.09

120 M. Lis, op. cit.

121 Col. phdeng. Dariusz Nowak - deputy director of the Institute of Law and the Defense Administration of the National Security Faculty of the War Studies University.

122 Article 47 of the Constitution of the Republic of Poland of 2.04.1997 (Journal of Laws of 1997, No. 78, item 483).

123 The duty of military service consists in: performing military exercises, performing preparatory service, and performing periodic military service by reserve soldiers and territorial military service.

124 Article 4 paragraph 2 and 2a of the Act of November 21, 1967 on the Universal Defense of the Republic of Poland (Journal of Laws of 2017, item 1430, as amended), sections III, IV, V and VII (further u.p.o.o.).

125 Ibid.

126 Electronic records do not include soldiers who perform professional military service on official positions in civil institutions.

127 Section 17 of the Ordinance of the Minister of National Defense from 31.10.2014 on military records of professional soldiers (Journal of Laws of 2014, item 1638).

128 http://rczpi.wp.mil.pl/pl/46.html[access: 6.12.2017].

129 http://rczpi.wp.mil.pl/pl/44.html[access: 6.12.2017].

130 http://rczpi.wp.mil.pl/pl/45.html[access: 6.12.2017].

131 http://rczpi.wp.mil.pl/pl/61.html[access: 6.12.2017].

132 Decision No. 44/MON of the Minister of National Defense of 15/02/2013 on the implementation of the networked military record system "SEW on-line" for operational use (Journal of Defense of the Ministry of National Defense 2013, item 50).

133 http://beo.wp.mil.pl/[access: 10.01.2018].

134 http://beo.wp.mil.pl/3.html[access: 10.01.2018].

135 http://beo.wp.mil.pl/5.html[access: 10.01.2018].

136 http://www.cyberdefence24.pl/592211,media-spolecznosciowe-zagrozeniem-dla-zolnierzy[access: 10.01.2018].

137 Judgment of the Supreme Administrative Court in Warsaw of 19 December 2011 (I OSK 1100/11).

138 Act of 5.10.2010 on the protection of classified information (Journal of Laws 2010, No. 182, item 1228, as amended).

139 Regulation of the Minister of National Defense of 19/12/2013 on specific tasks of protection proxies for the protection of classified information in organizational units subordinate to or supervised by the Minister of National Defense (Journal of Laws of 2016, item 1720).

140 Article 266 para. 1 of the Act of 6.06.1997 - Penal Code (Journal of Laws 1997, No. 88, item 553, as amended).

141 Agnieszka Brzostek PhD - lecturer at the Chair of Administration and Administrative Law, Institute of Law and Defence Administration, Faculty of National Security, War Studies University

142 Administrative Procedure Code Act of 14 June 1960 (Journal of Laws of 2017, item 1257, consolidated text).

143 Ruling of the Supreme Administrative Court of 6 December 2011, case file I OSK 268/11.

144 Ruling of the Administrative Court in Warsaw of 19 May 2016, case file I ACa 1056/15.

145 Article 51 of the Polish Constitution of 2 April 1997, Journal of Laws of 1997, No. 78, item 483.

146 Personal Data Protection Act of 29 August 1997, Journal of Laws of 2016, item 922.

147 Ruling of the Supreme Court of 11 February 2015, case file I CSK 868/14, Lex No. 1677121.

148 Article 7 clause 2 of the Personal Data Protection Act. See also Ruling of the Provincial Administrative Court in Warsaw of 12 July 2017, case file II SA/Wa 2221/16, Lex No. 2337509.

149 Article 23 clauses 1-5 of the Personal Data Protection Act.

150 J Barta, P Fajgielski, Markiewicz, Komentarz do art. 23 ustawy o ochronie danych osobowych, as at 1 July 2015.

151 Ruling of the Provincial Administrative Court in Warsaw of 12 July 2017, case file II SA/Wa 2221/16, Lex No. 2337509.

152 Ibid.

153 Ruling of the Supreme Administrative Court in Warsaw of 20 February 2013, case file I OSK 258/12, Lex No. 1356990.

154 Ibid.

155 Ruling of the Supreme Administrative Court in Warsaw of 10 January 2013, case file I OSK 2029/11, Lex No. 1341461.

156 Ibid.

157 Ibid.

158 Ruling of the Supreme Administrative Court in Warsaw of 10 January 2013, I OSK 2029/11, Lex No. 1341461.

159 EU OJ L95.281.31 as amended.

160 Ruling of the Supreme Administrative Court in Warsaw of 10 January 2013, I OSK 2029/11, Lex No. 1341461.

161 J Barta, P Fajgielski, Markiewicz, Komentarz do art. 24 ustawy o ochronie danych osobowych, op. cit.

162 Article 26 clause 1 of the Personal Data Protection Act

163 J. Barta, P. Fajgielski, Markiewicz, Komentarz do art. 26 ustawy o ochronie danych osobowych, as at 2015.07.01.

164 Article 26a clause 1 of the Personal Data Protection Act.

165 J. Barta, P. Fajgielski, Markiewicz, Komentarz do art. 26a ustawy o ochronie danych osobowych, op. cit.

166 Article 31 clause 1 of the Personal Data Protection Act

167 Ruling of the Supreme Administrative Court in Warsaw of 10 January 2013, I OSK 2029/11, Lex No. 1341461.

168 Ibid.

169 J Barta, P Fajgielski, Markiewicz, Komentarz do art. 32 ustawy o ochronie danych osobowych, op. cit.

170 Ibid.

171 Article 33 clause 1 of the Personal Data Protection Act.

172 Ruling of the Provincial Administrative Court in Warsaw of 14 July 2016, case file II SA/Wa 2080/15.

173 Article 34 of the Personal Data Protection Act.

174 J. Barta, P. Fajgielski, Markiewicz, Komentarz do art. 34 ustawy o ochronie danych osobowych, op. cit.

175 P. Litwiński, Ochrona danych osobowych w ogólnym postępowaniu administracyjnym, Warsaw 2009, page 238.

176 Article 35 clause 1 of the Personal Data Protection Act.

177 J Barta, P Fajgielski, Markiewicz, Komentarz do Article 35 ustawy o ochronie danych osobowych, op. cit. For more information on data processing and the request to stop data processing, see P Litwiński, op. cit.

178 P Litwiński, op. cit., page 243.

179 Ibid, page 243.

180 Monika Nowikowska PhD, lecturer at the War Studies University Faculty of National Defence, Institute of Law and Defence Administration, Department of Administration and Administrative Law.

181 Constitution of the Republic of Poland of 2 April 1997 (Journal of Laws No. 78, item 483 as amended).

182 M Safjan, Ochrona danych osobowych - granice autonomii i informacji, (in:) Ochrona danych osobowych, edited by M Wyrzykowski, Warsaw 1999, page 9.

183 M Polok, Bezpieczeństwo danych osobowych, Warsaw 2008, page 26.

184 K Karsznicki, Kryteria dostępu do informacji publicznej, Prokuratura i Prawo 2015, issue 11, page 112.

185 A Drozd, Ustawa o ochronie danych osobowych. Komentarz. Wzory pism i przepisy, Warsaw 2006, page 15.

186 Government Administration Audit Act of 15 July 2011 (Journal of Laws No. 185, item 1092).

187 Access to Public Information Act of 6 September 2001 (Journal of Laws of 2016, item 1764, as amended).

188 Ruling of the Supreme Administrative Court of 17 November 2000, II SA 1860/00, unpublished.

189 W Robaczyński, Postępowanie kontrolne, (in:) Komentarz do ustawy o Najwyższej Izbie Kontroli, E Jarzęcka-Siwik, T Liszcz, M Niezgódka-Medkova, W Robaczyński, Warsaw 2000, pages 166-167.

190 Bill of 12 December 2017

191 E.g. article 41 - Fundamental Principles of Performance Auditing (ISSAI 300).

192 P Szustakiewicz, Podstawy prawne udzielania informacji prasie przez Najwyższą Izbę Kontroli, Kontrola Państwowa 1999, issue 6, page 22.

193 See: Supreme Administrative Court's ruling of 8 November 2002, II SA 181/2002, unpublished; ruling of the Provincial Administrative Court in Lodz of 10 January 2008, II SAB/Łd 29/07, Lex No. 505423.

194 M Nowikowska, Wystąpienie pokontrolne jako informacja jawnoźródłowa białego wywiadu, (in:) Bezpieczeństwo informacyjne. Aspekty prawno-administracyjne, edited by W Kitler, J Taczkowska-Olszewska, Warsaw 2017, pages 207-221.

195 J Ruszewski, P Sitniewski, Ustawa o dostępie do informacji publicznej w orzecznictwie, page 28, published on www.jawnosc.pl.

196 IGPDP's decision of January 2017 z 01.2007, no case number, IGPDP's decision of 15 December 2013, DIS/DEC-158/13/9658.

197 Ruling of the Constitutional Tribunal of 19 June 2002, K11/2002,

198 A Drozd, Ustawa o ochronie danych osobowych. Komentarz. Wzory pism i przepisy, Warsaw 2006, page 15.

199 I Szostek, Prawo do informacji publicznej a ochrona danych osobowych, (in:) Bezpieczeństwo informacyjne. Aspekty prawno-administracyjne, edited by W Kitler, J Taczkowska-Olszewska, Warsaw 2017, page 270.

200 A Lach, Kradzież tożsamości, Prokuratura i Prawo 2012, issue 3, pages 29-30. Cf. A Murray, Information Technology Law. Law and Society. Third Edition, Oxford University Press, pages 429-430.

201 Australian Centre for Policing Research and the Australian Transaction Reports and Analysis Centre, Standardisation of Definitions of Identity Crime Terms: A Step Towards Consistency, Report Series No. 145.3, Australian Centre for Policing Research 2006, pages 9-10.

202 For more details see J Clough, Principles of Cybercrime. Second edition, Cambridge University Press 2015, pages 218-219, 238-239; I Walden, Computer Crimes and Digital Investigationpage Second edition, Oxford University Press 2016, pages 114-115.

203 Council of Europe Convention on Cybercrime signed in Budapest on 23 November 2001 (Journal of Laws of 2015, item 728). It should be noted, however, that the Convention defines an offence, a form of which can be deemed to include identity theft, namely the so-called computer related forgery understood as "the input, alteration, deletion or suppression of computer data resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible" (cf. M Summer, C Schwarzenegger, G Ege, F Young, The Emergence of EU Criminal Law, Oxford and Portland, Oregon 2014, page 246).

204 Council Framework Decision 2005/222/JHA on attacks against information systems (OJ L 69 of 16 March 2005, page 67).

205 Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ L 218 of 14 August 2013, page 8).

206 Criminal Code Act of 6 June 1997 (consolidated text: Journal of Laws of 2017, item 2204, as amended), hereinafter as the Criminal Code.

207 Act of 25 February 2011 changing the Criminal Code Act (Journal of Laws No. 72, item 381.), hereinafter the Amendment Act 2011.

208 Commission proposal for a directive of the European Parliament and of the Council on attacks against information systems and replacing Council Framework Decision 2005/222/JHA of 30 September 2010 (COM(2010) 517 final version).

209 It provides a penalty for up to three years of imprisonment for the persistent harassment of another person or such a person's next of kin, which makes such a person justified sense of threat or signicicantly violates the person's privacy.

210 M Budyn-Kulik, Komentarz do art. 190a k.k.[in:] Kodeks karny. Komentarz do zmian wprowadzonych ustawą z 25 lutego 2011 r. o zmianie ustawy Kodeks karny, Lex/el., item 50; cf. A Lach, Karnoprawna reakcja na zjawisko kradzieży tożsamości, Warsaw 2015, pages 90-91.

211 Reasoning of the Amendment Act 2011, Parliamentary Print No. 3553 of 27 October 2010, page 10.

212 Ibidem.

213 The idea of including in the Personal Data Protection Act of 29 August 1997 (consolidated text:Journal of Laws of 2016, item 922, as amended; hereinafter the PDPA) a provision to criminalise cyberstalking was rightly rejected, which the proponents justified by pointing out that "the designed provision relates to a general offence that can be committed by everyone rather than to most of the criminal ones stipulated in the Act, which are personal in nature and, as a rule, involve the penalisation of acts committed by data file administrators and personal data processorpage. In addition, protection against such misdemeanours is guaranteed, above all, by ensuring the proper movement of the data records maintained under the said statutory regulation (Reasoning of the Amendment Act 2011, page 10)".

214 M Budyn-Kulik, Komentarz do art. 190a k.k..., item 54;

215 M Budyn-Kulik, Komentarz do art. 190a k.k..., item 54; A Lach, Karnoprawna reakcja..., page 89

216 M Budyn-Kulik, Komentarz do art. 190a k.k...., items 54-55.

217 M Mozgawa [in:] System Prawa Karnego. Tom 10. Przestępstwa przeciwko dobrom indywidualnym, edited by J Warylewski, Warsaw 2016, page 468.

218 Ibidem.

219 Słownik języka polskiego. Volume III, edited by M Szymczak, Warsaw 1995, page 719.

220 A Zoll [in:] Kodeks karny. Część szczególna. Tom II. Komentarz do art. 117-277 k.k., edited by A Zoll, Warsaw 2013, page 607.

221 Słownik języka polskiego..., page 752.

222 Ruling of the Supreme Courtof 7 March 2003 (case No. I CKN 100/01, unpublished)

223 J Barta, Markiewicz, Wokół prawa do wizerunku, Warsaw 2002, page 12; J Sieńczyło-Chlabicz, Rozpowszechnianie wizerunku osób powszechnie znanych, Przegląd Prawa Handlowego 2003, issue 9, page 40 J Panowicz-Lipska [in:] Kodeks cywilny. Tom I. Komentarz. Art. 1-44911, edited by J Gutowski, Warsaw 2016, pages 117-118; A Sakowicz, M Królikowski [in:] Kodeks karny. Część szczególna. Tom I. Komentarz do artykułów 117-221, edited by M Królikowski, R Zawłocki, Warsaw 2017, page 591.

224 Ruling of the Supreme Court of 20 May 2004 II CK 330/03

225 Sobolewski [in:] Kodeks cywilny. Komentarz. Tom I. Przepisy wprowadzające. Część ogólna. Własność i inne prawa rzeczowe, edited by K Osajda, Warsaw 2013, page 400. Cf. T Grzeszak [in:] System Prawa Prywatnego. T. 13. Prawo autorskie, edited by J Barta, Warsaw 2013, pages 786-787.

226 Civil Code Act of 23 April 1964 (consolidated text: Journal of Laws of 2017, item 459, as amended).

227 Consolidated text: Journal of Laws of 2016, item 666, as amended.

228 J Panowicz-Lipska [in:] Kodeks cywilny..., page 118. For more details see T Grzeszak [in:] System Prawa Prywatnego..., pages 783-784, A Matlak, Cywilnoprawna ochrona wizerunku, Kwartalnik Prawa Prywatnego 2004, issue 2, page 320.

229 Similar to A Sakowicz, M Królikowski [in:] Kodeks karny..., page 591 and, as it seems, M Mozgawa [in:] System Prawa Karnego..., page 469 and M Budyn-Kulik [in:] M Budyn-Kulik, Komentarz do art. 190a k.k..., pkt 60-62; contrary to P Furman [in:] P Furman, Próba analizy konstrukcji ustawowej przestępstwa uporczywego nękania z art. 190a k.k. Zagadnienia wybrane, Czasopismo Prawa Karnego i Nauk Penalnych 2012, issue 3, page 71), who narrows the subject of protection down only to imagein the second meaning, i.e. the established imageof a person.

230 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119 of 27 April 2016, page 1), hereinafter referred to as the GDPR.

231 J Barta, P Fajgielski, Markiewicz, Ochrona danych..., pages 338-339; P Barta, P Litwiński, Ustawa o ochronie danych osobowych. Komentarz, 2016, page 77; A Drozd, Ustawa o ochronie danych osobowych. Komentarz. Wzory pism i przepisy, Warsaw 2007, page 41), A Mednis, Ustawa o ochronie danych osobowych. Komentarz, Warsaw 2002, pages 21-22.

232 P Barta, P Litwiński, Ustawa o ochronie..., page 77. Also A Mednis, Ustawa o ochronie..., page 21.

233 J Barta, P Fajgielski, R Markiewicz, Ochrona danych osobowych. Komentarz, Warsaw 2011, page 339; J Kosonoga [in:] R A Stefański (editor), Kodeks karny. Komentarz, Warsaw 2015, page 1094.

234 J Barta, P Fajgielski, R Markiewicz, Ochrona danych..., page 339, G Sibiga, Postępowanie w sprawach ochrony danych osobowych, Warsaw 2003, page 33.

235 M Krzysztofek, Ochrona danych osobowych w Unii Europejskiej po reformie. Komentarz do rozporządzenia Parlamentu Europejskiego i Rady (UE) 2016/679, Warsaw 2016, page 41

236 P Barta, P Litwiński, Ustawa o ochronie..., pages 78-79.

237 Information on a dead person can be the personal data of a living person, e.g. the name of a deceased parent. For more details see e.g. J Barta, P Fajgielski, Markiewicz, Ochrona danych..., pages 344-345; s. P Barta, P Litwiński, Ustawa o ochronie..., page 79.

238 As pointed out in the literature, information on a private individual can be derived from information on a body corporate, therefore it happens that the boundaries between information on a private individual and that on a body corporate become vague (J Barta, P Fajgielski, R Markiewicz, Ochrona danych..., page 340); also A Lach, Prawnokarna reakcja..., page 97; M Mozgawa [in:] M Mozgawa (editor), Kodeks karny. Komentarz, Warsaw 2015, page 509).

239 A Zoll, Kodeks karny..., page 607, M Mozgawa, System Prawa Karnego..., page 470.

240 A Szpunar, O zadośćuczynieniu z tytułu uszkodzenia ciała, Studia Iuridica 1994, volume XXI, page 171.

241 Cf. F Radoniewicz, Dochodzenie roszczeń cywilnych w polskim postępowaniu karnym - analiza obecnej regulacji na tle wcześniejszych rozwiązań [in:] Ex contractu, ex delicto - z dziejów prawa zobowiązań, edited by M Mikuła, K Stolarski, Cracow 2012; For more details see e.g. A Brzozowski, W Czachórski, M Safjan, E Skowrońska-Bocian, Zobowiązania. Zarys wykładu, Warsaw 2009, pages 84-93.

242 M Mozgawa [in:] System Prawa Karnego..., pages 470-471. As stressed by A Lach, pursuant to article 190a § 2 of the Criminal Code no criminal liability can be imposed on a perpetrator who uses another person's identity to hide the perpetrator's own one or cause damage to a third party (i.e. other than that whose personal data the perpetrator uses) or who acts only to gain a financial advantage (A Lach, Karnoprawna reakcja..., page 92).

243 M Mozgawa [in:] System Prawa Karnego..., pages 470-471.

244 Consolidated text: Journal of Laws of 2016, item 1541, as amended.

245 Consolidated text: Journal of Laws of 2016, item 1654, as amended.

246 M Mozgawa [in:] System Prawa Karnego..., page 471.

247 M Budyn-Kulik, Komentarz do art. 190a k.k., pkt 59. Similarly A Lach, Karnoprawna reakcja..., page 99.

248 An opposite view in this respect was taken by A Lach (A Lach, Karnoprawna reakcja..., page 101).

249 M Mozgawa [in:] System Prawa Karnego..., pages 471-472.

250 Dr Piotr Milik - assistant professor at the Institute of Law and Defense Administration, National Security Department, Academy of Military Studies.

251 See R. Zięba, Funkcjonowanie paneuropejskiego mechanizmu bezpieczeństwa KBWE/OBWE, "Studia Europejskie" 1998, nr 3, s. 85.

252 FSC.JOUR/314, the material available at the Internet address: http://www.osce.org/fsc/20783.

253 Article 27a of the Act of November 29, 2000 on foreign trade in goods, technologies and services of strategic importance for the security of the state, and for the maintenance of international peace and security: "1. The entity exporting arms is obliged to hand over to the minister competent for foreign affairs an annual report on the actual implementation of this export, by the end of April next year. 2. The report referred to in para. 1, includes in particular:

1) the name, quantity and value of the arms being exported;2) control category;3) numbers of used permits;4) end user's country ".

254 Journal of Laws from 2004, No. 229, item 2315.

255 Resolution of the General Assembly No. 46 / 36L of December 6, 1991, A / RES / 46/36. Provisions regarding the creation of the Conventional Weapons Register can be found in item "L" of the resolution entitled: Transparency in Armaments.

256 www.msz.gov.pl/pl/polityka_zagraniczna/polityka_bezpieczenstwa/kontrola_eksportu/transparencja/transparencja;jsessionid=36A51C201162AEB978C304DF7244F01F.cmsap1p

257 For example, during the civil war in Spain in the 1930s, despite the self-imposed commitment to the embargo on the supply of weapons to this country, Poland secretly carried out supplies of weapons to both the Republican government in Madrid (Poland was the third country in terms of the number of weapons delivered. First and the second were the Soviet Union and France), as well as for the forces of General Francisco Franco. In addition, in September 1936, Poland became a member of the International Non-intervention Committee in Spain, whereby in the same month the vessels carrying the military equipment to Spain regularly left polish military port of Westerplatte. See. A. Fedorowicz, Niech żyje wojna, "Polityka" No. 48, 23.11.2016, pp. 62-64.

258 The Act of August 5, 2010, on the Protection of Classified Information (Journal of Laws from 2010, No. 182, item 1228).

259 See S. Hoc, Ustawa o ochronie informacji niejawnych. Komentarz, Warszawa 2010, p. 84.

260 The Act of June 6, 1997 - Code of Criminal Procedure (Journal of Laws of 1997 No. 89, item 555).

261 The Act of November 17, 1964 - Code of Civil Procedure (Journal of Laws 1964 No. 43, item 296).

262 The Act of June 14, 1960, The Code of Administrative Procedure (Journal of Laws 1960 No. 30, item 168).

263 The Act of 30 August 2002, Law on Proceedings Before Administrative Courts (Journal of Laws of 2002 No. 153 item 1270).

264 The Act of August 29, 1997 - Tax Ordinance (Journal of Law 1997 No. 137, item 926).

265 The Act of 25 June 2015 on the Constitutional Tribunal (Journal of Laws 2015 item 1064).

266 The Act of 26 March 1982 on the Tribunal of State (Journal of Laws 1982 No. 11, item 84).

267 The Act of 21 January 1999 on the Congress Investigative Committee (Journal of Laws of 1999, No. 35, item 321).

268 The Act of 6 September 2001 on Access to Public Information (Journal of Law 2001 No. 112, item 1198).

269 The Act of December 15, 2000 on the Trade Inspection (Journal of Laws 2001 No. 4, item 25).

270 The Act of 16 July 2004 Telecommunications Law (Journal of Laws 2004 No. 171 item 1800).

271 The Act of February 16, 2007 on Competition and Consumer Protection (Journal of Laws 2007 No. 50, item 331).

272 So on this subject R Padrak, Secret of the company in the control proceedings of the Supreme Audit Office, "State Audit" 2007, No. 4, p. 22.

273 The Act of 29 January 2004 on Public Procurement Law (Journal of Laws 2004 No. 19 item 177).

274 Regulation of the Council of Ministers of February 12, 2013 on the Procedure for the Assessment of the Existence of a Fundamental State Security Interest (Journal of Laws 2013 item 233).

275 The decision 92/MON on the detailed procedure for the qualification of orders and the assessment of the existence of a fundamental security interest of state (Official Journal of the Minister of National Defense of March 25, 2014, item 101).

276 The decision 118/MON on the Rules and Procedure for Granting National Defense Orders in the Field of Defense and National Security (Official Journal of the Minister of National Defense of 25 April 2013, item 119).