1 Regulation (EU) 2016/679 Of The European Parliament And Of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
2 The European Parliament adopted the GDPR on 27 April 2016, and its wording was published in the Official Journal of the European Union on 4 May 2016. Pursuant to article 99 clause 2, the GDPR became effective on the twentieth day following that of its publication in the Official Journal of the European Union, i.e. on 24 May 2016, and it will become applicable from 25 May 2018 (article 99 clause 2 GDPR).
3 Cross-border data processing is defined in article 4 item 23 of the GDPR (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
4 E Bielak-Jomaa, Ogólne rozporządzenie o ochronie danych. Rewolucja w ochronie danych?, MOP 2017, No. 20, page 3.
5 Treaty on the Functioning of the European Union of 26 October 2012 (OJ C 2012 326, page 47).
6 The essence of EU Regulations is the direct effect thereof, which signifies that it is the rules stipulated in such Regulations that form the legal basis for cases pending before Member State authorities, but not provisions of any national legislation (P Litwiński, J Barta, J Kawecki, Commentary to article 99 of the GDPR [in:] Rozporządzenie UE w sprawie ochrony osób fizycznych w związku z przetwarzaniem danych osobowych i swobodnym przepływem takic danych. Commentary, P Litwiński (ed.), Warsaw 2018). The direct effect of the provisions of EU law means that a party referring to a specific provision of the GDPR is entitled to invoke the applicability there of before any Member State court both in private and public law litigation (Judgment of the European Court of Justice of 27 September 2001 in case C-63/99 the Queen vs the Secretary of the State, ECLI:EU:C:2001:488; Judgment of the European Court of Justice 27 September 2001 in case C-257/99 Barkoci and Malik, ECLI:EU:C:2001:491).
7 When reviewing national legislative bills to prepare the legal system for the implementation of the personal data protection reform, the Inspector General for Personal Data Protection (IGPDP) strongly noted that the submitted bills 'should contain nothing but provisions aimed at preparing the national legal order for the applicability of Regulation 2016/679 and a new Personal Data Protection Act', and accordingly it is not allowable to draft solutions that deviate from those stipulated in the GDPR (IGPDP's comments on the draft Personal Data Protection Act Enforcement Regulations and Personal Data Protection Act attached as Addendum 1 and 2, respectively, to the IGPDP's Letter to the Minister of Digital Affairs of 20 October 2017, http://IGPDP.gov.pl/pl/1520280/10202). At the same time, the Government Centre for Legislation has analysed that the national legislation relating to personal data protection includes some 800 legal acts that, once they have been thoroughly revised, need to be repealed or amended (E Bielak-Jomaa, D Lubasz, Polska i europejska reforma ochrony danych osobowych, E Bielak-Jomaa (ed.), Warsaw 2016, Legalis).
8 Judgment of the European Court of Justice z 31 January 1978, C-94/77, Fratelli ZerboneSnc vs Amministrazione delle finanze dello Stato, ECLI:EU:C:1978:17, quoted in: K Morawska, Rola oraz status..., Warsaw 2017, Legalis.
9 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23/11/1995 P. 0031 - 0050).
10 The Directive repels Framework Decision 2008/977/JHA of the Council. The Regulation is going to replace existing Directive 95/46/EC.
11 Item 1.2 of the draft e-Privacy Regulation.
13 In X Konarski's opinion, the most substantial change brought about by the E-Privacy Regulation is its inclusion of a wide range of interpersonal communication services (the use of mobile devices), which was not regulated in Directive 2002/58 so far, as well as machine-to-machine communications (Internet of Things), which involves the processing of data on the users of various types of intelligent devices (see X Konarski, Rozporządzenie o e-Prywatności jako regulacja sektorowa względem ogólnego rozporządzenia o ochronie danych osobowych (RODO), (MoP supplement 20/2017), MOP 2017, No. 20, page 6).
14 As set out in article 7 of the CFR.
15 As defined in article 4 clause 3b of the draft e-Privacy Regulation.
16 As defined in article 4 clause 3c of the draft e-Privacy Regulation.
17 This term relates to information stored on end user terminals and relating to such terminals (article 8 of the draft e-Privacy Regulation).
18 Draft Regulation of the European Parliament and of the Council on a framework for the free flow of non-personal data in the European Union, COM(2017) 495 final 13 September 2017, http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX:52017PC0495, hereinafter the Draft Non-Personal Data Regulation.
19 The draft stresses that it is consistent with existing legal instruments, in particular it complies with the Electronic Commerce Directive (Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the internal market (Electronic Commerce Directive) (OJ L 178 of 17 July 2000, page 1), which is supposed to create a comprehensive and efficient single EU market for a broader category of information society services, and the Directive on services in the internal market (Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market (OJ L 376 of 27 December 2006, page 36), which helps deepen a single EU services market in certain sectors (Regulation of the European Parliament and of the Council on a framework for the free flow of non-personal data in the European Union, COM(2017) 495 final, of 132 September 2017, http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX:52017PC0495).
20 The proposed definition resolves discrepancies between legal systems of EU Member States as far as the term 'personal data' is concerned, as well as dispels any doubts about the interpretation of how to determine the meaning of the expression 'identifiable person' and the premises indicating the 'possibility' of identifying the person personal data relates to. The EU legislators have left an open catalogue of premises enabling to ascertain that a person is identifiable, which in consequence means that the proposed definition is open-ended and allows a broad interpretation of personal data.
21 Commentary to article 4 GDPR [in:] Rozporządzenie (UE) w sprawie ochrony osób fizycznych w związku z przetwarzaniem danych osobowych i swobodnym przepływem takich danych. Commentary, P Litwiński (ed.), Warsaw 2018.
22 It is indicated in the literature that personal data protection is one of the key aspects of the right to privacy (see M Krzysztofek, Ochrona danych osobowych w Unii Europejskiej, Warsaw 2014, page 36 et seq.). J Barta and R Markiewicz point out that such approach to personal data protection is also adopted in national and international regulations (seeJ Barta, R Markiewicz, Ochrona danych osobowych. Komentarz, Cracow 2007, page 116).
23 J Barta, R Markiewicz, Ochrona danych osobowych. Komentarz, Cracow 2007, page 54.
24 The notion of data is defined negatively, for it is termed as 'data other than personal data referred to in article 4 item 1 of Regulation (EU) No. 2016/679' (article 3 clause 1 of the draft Non-Personal Data Regulation).
25 Charter of Fundamental Rights of the European Union of 30 March 2010 (OJ C 2010 83, page 389, hereinafter the CFR).
26 Treaty on the Functioning of the European Union of 26 October 2012 (OJ C 2012 326, page 47, hereinafter the TFEU).
27 K Morawska, Rola oraz status...,Warsaw 2017, Lergalis.
28 In complicated cases, the one month's period for delivery of data to the applicant can be extended to a maximum of three months provided that the person such data relates to is, within one month of the original request, notified of the reasons for such a delay (see P Liwiński, Komentarz do art. 20 RODO [in:] Rozporządzenie (UE) w sprawie ochrony osób fizycznych w związku z przetwarzaniem danych osobowych i swobodnym przepływem takich danych. Komentarz, P Liwiński (ed.), Warsaw 2018.
29 Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
30 In the literature it is usually stressed that the GDPR 'is supposed to eliminate any differences in the degree of right protection for rights, which may arise in this respect from the enforcement of the Directive, as well as to avoid fragmentation, legal uncertainty and the popularisation of the belief that the protection of natural persons is substantially threatened, especially in the Internet' (see K Morawska, Rola oraz status prawny motywów preambuły ogólnego rozporządzenia o ochronie danych - klucz do wykładni przepisów nowego prawa unijnego [in:] Ogólne rozporządzenie o ochronie danych osobowych. Wybrane zagadnienia, M Kawecki, T Osiej (ed.), Warsaw 2017, Legalis.
31 The IGPDP's comments on the draft of new regulations on the protection of personal data, http://IGPDP.gov.pl/pl/1520280/10202 (accessed on 9 January 2017).
32 It should be noted here that the preamble is not normative in nature and cannot be referred to as a basis for deviations from the provisions of any act (see Judgment of the European Court of Justice of 19 November 1998 in case C-162/97, Legalis, criminal proceedings against Gunnar Nilsson, Per Olov Hagelgren and Solweig Arrborn, ECLI:EU:C:1998:554, item 54), for the preamble contains reference to the purpose of the legal regulation, which indicates its assumptions and ideological foundations (see K Morawska, Rola oraz status..., Warsaw 2017, Legalis).
33 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions (COM/2014/0442 final) http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=celex:52014DC0442. On EUR-LEX pages the commentary was described as 'a strategic document containing ideas for the use of data by EU Member States in a way beneficial to their economies' (http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=LEGISSUM:3102_2).
37 The definition of a data-driven economy is quoted in the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions 'Building a European Data Economy' (COM/2017/09 final) of 10 January 2017; http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=COM:2017:9:FIN. According to that definition, the data economy measures the overall impacts of the data market, i.e. the marketplace where digital data is exchanged as products or services derived from raw data, on the economy as a whole. It involves the generation, collection, storage, processing, distribution, analysis, elaboration, delivery, and exploitation of data enabled by digital technologies (European Data Market study, SMART 2013/0063, IDC, 2016). In 2014 the EU data-driven economy was estimated at ?257 billion, i.e. 1.85% of the EU GDP (European Data Market study, SMART 2013/0063, IDC, 2016). In 2015 this figure rose up to ?272 billion, i.e. 1.87% of the EU GDP (5.6% increase compared with the previous year). According to the same forecast, if a framework for the functioning of a data-driven economy is created within an appropriate timeframe, in 2020 its value will increase up to ?643 billion, i.e. 3.17% of the European Union's total GDP (Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions 'Building a European Data Economy' (COM/2017/09 final) of 10 January 2017; http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=COM:2017:9:FIN.
38 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions 'Building a European Data Economy' (COM/2017/09 final) of 10 January 2017; http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=COM:2017:9:FIN.
40 Article 3 clause 8 of the draft Non-Personal Data Regulation.
41 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions (COM/2014/0442 final) http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=celex:52014DC0442.
42 S Hoc, T Szewc, Ochrona danych osobowych i informacji niejawnych, Warsaw 2014, page 10.
43 A Drozd, Zakres zakazu przetwarzania danych osobowych, PiP 2003, issue 2, page 48.
44 M Krzysztofek, Ochrona danych osobowych w Unii Europejskiej, Wolters Kluwer, Warsaw 2014, page 155.
45 The case law of Argentinian and Swiss courts as well as of the European Court of Human Rights regarding the right to be forgotten was gathered and presented in the Master's thesis titled The Right to Be Forgotten as an Instrument to Protect the Right to Privacy, Krzysztof Żołyński, op. cit., pages 50-54.
46 S Frankel, D Gervais, The Evolution and Equilibrium of Copyright in the Digital Age, Cambridge University Press 2014, page 187.
47 V Sreeharsha, Google and Yahoo Win Appeal in Argentina Case, New York Times, 20 August 2010.
48 F Werro, The Right to Inform v. the Right to be Forgotten: A Transatlantic Clash, Centre for Transnational Legal Studies Colloquium, Research Paper No. 2 May 2009, page 290.
49 L Siry, S Schmitz, A Right to be Forgotten? - How Recent Developments in Germany May Effect The Internet Publisher in the US, European Journal of Law and Technology, Vol. 3, No. 1, 2012, page 3.
50 A H Stuart, Google Search Results: Buried If Not Forgotten, North Carolina, Journal of Law & Technology, Volume 15, Issue 3, Spring 2014, pages 480-481.
51 Regulation directly applicable in national legal systems since 25 May 2018 for all those who process personal data as part of their business activities.
52 What is of critical importance to entrepreneurs is to define the maximum penalty for infringing applicable laws, which penalty can amount to even ?20,000,000 or 4% of the entrepreneur's total annual worldwide turnover in the financial year preceding the infringement.
53 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, EC OJ L 281 of 23 November 1995.
54 I Stupariu, Defining the Right to be Forgotten. A Comparative Analysis between the EU and the US, LLM Short Thesis, Central European University 2015, page 31.
55 The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), published on 4 May 2016 in EC Official Journal L 119; pursuant to article 99 of the General Regulation, it becomes effective twenty days after its publication in the EC Official Journal and will be remain in force until 25 May 2018.
56 M Krzysztofek, Prawo do bycia zapomnianym i inne aspekty prawa prywatności w epoce Internetu w prawie UE, Europejski Przegląd Sądowy, August 2012, No. 2, page 29.
57 http://eur-lex.europa.eu/legal-content/PL/TXT/PDF/?uri=CELEX:31995L0046&from=pl
58 K Żołyński, op. cit., pages 57-59
59 Ruling of the European Court of Justice of 13 May 2014 in case C 131/12 Google Spain i Google Inc., page 7.
60 Directive 95/46/EC on the protection of personal data.
61 M Krzysztofek, Ochrona danych osobowych w Unii Europejskiej, Wolters Kluwer, Warsaw 2014, page 165.
62 Google Spain SL v. Agencia Espa?ola de Protección de Datos. Court of Justice of the European Union Creates Presumption that Google Must Remove Links to Personal Data upon Request. http://harvardlawreview.org/2014/12/google-spain-sl-v-agncia-espanola-de-proteccion-de-datos/
63 Press release No. 70/14 of the European Court of Justice, Luxembourg 13 May 2014 http://curia.europa.eu/jems/upload/docs/application/pdf/2014-05/cp140070pl.pdf
64 M Czerniawski, Commentary to the ruling of the Court of Justice of 13 May 2014, C-131/12, LEX/el.
65 M Kręcisz, Commentary to the ruling of the Court of Justice of 13 May 2014, C-131/12, LEX/el.
66 Ł Goździaszek, Prawo do bycia zapomnianym w wyszukiwarce internetowej - glosa do wyroku Trybunału Sprawiedliwości z dnia 13 maja 2014 r. w sprawie C 131/12 Google Spain i Google Inc. przeciwko Agencia de Proteccion de Datos (AEPD) i Mario Costeja Gonzalez, Europejski Przegląd Sądowy, No. 2, 2015, page 43.
67 The potential introduction of the right to be forgotten in the United States is arguable. Reasons for that include the sceptical approach to the described concept in the US, as well as a significantly different understanding of privacy and its relation to other personality rights, such as freedom of speech.
68 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) of 4 May 2016, EU OJ L 119.
69 M Krzysztofek, "Prawo do bycia zapomnianym" i inne aspekty prywatności w epoce Internetu w prawie UE, Europejski Przegląd Sądowy 2012, No. 8, page 34.
70 M Piech, Wyszukiwarka jako administrator danych osobowych w kontekście wyroku Trybunału Sprawiedliwości z 13.05.2014 r. w sprawie C-131/12 Google Spain SL i Google Inc. przeciwko Agencia de Proteccion de Datos (AEPD) i Mario Costeja Gonzalez - konsekwencje dla pośredników internetowych, Europejski Przegląd Sądowy, No. 2, 2015, page 24.
71 M Śledzikowski, Prawo do bycia zapomnianym w Internecie - nowe standardy ochrony danych osobowych w Unii Europejskiej, Ochrona prywatności w nowych technologiach. Published by the Computer Law Block students' society, Wrocław 2015, page 79.
72 Maria Łoszewska-Ołowska PhD, an Adjunct Professor at the University of Warsaw Faculty of Journalism, Information and Book Studies.
73 Act of 26 January 1984 (Journal of Laws No. 5, item 24, as amended), hereinafter the Press Law.
74 Act of 29 August 1997 (Journal of Laws of 2016, item. 922), hereinafter the Personal Data Protection Act.
75 R Koper, Jawność rozprawy głównej a ochrona prawa do prywatności w procesie karnym, Warsaw 2010, page 383.
77 This provision reads: Except for the provisions of articles 14-19 and article 36 clause 1, the Act shall not be applicable either to any journalistic activities as defined in the Press Law Act of 26 January 1984 (Journal of Laws No. 5, item 24, as amended) as well as to any literary or artistic activities unless freedom to express opinions and communicate information grossly violates the rights and liberties of the person such information pertains to.
78 J Barta, P Fajgielski, R Markiewicz, Ochrona danych osobowych. Komentarz, Cracow 2007, page 332.
80 For more information on the said journalist'sprivilege, see, amongotherthings, M Sakowska, A Młynarska-Sobaczewska, Klauzula prasowa z ustawy o ochronie danych osobowych jako gwarancja wolności wypowiedzi, Państwo i Prawo, No. 1 of 2005, pages 68-77.
81 See, amongotherthings, J Barta, M Fajgielski, R Markiewicz, Ochrona danych osobowych..., pages 345-346.
82 So op.cit., pages 351 and 353.
86 R Koper, Jawność rozprawy..., page 385.
87 J Sobczak, Dziennikarz - sprawozdawca sądowy. Prawa i obowiązki, Warsaw 2000, page 171; J Sobczak, Prawo prasowe. Komentarz, Warsaw 2008, page 519.
88 J Barta, R Markiewicz Prawo mediów, Warsaw 2005, page 269.
89 Prawo prasowe. Komentarz, Warsaw 2008, page 115,
90 E Nowińska, Wolność wypowiedzi prasowej, Warsaw 2007, page 94. Seealso A Augustyniak, Prawo prasowe. Komentarz, edited by B Kosmus, G Kuczyński, pages 221-222.
93 So the Supreme Court in its ruling of 6 June 2003 (IV CKN 191/01).
95 So K Włodarska-Dziurzyńska, (in:) Media a dobra osobiste, edited by J Barta, R Markiewicz, Warsaw 2009, pages 253-254.
96 Art. 3. 5 Directive states that PNR means a record of each passenger's travel requirements which contains information necessary to enable reservations to be processed and controlled by the booking and participating air carriers for each journey booked by or on behalf of any person, whether it is contained in reservation systems, departure control systems used to check passengers onto flights, or equivalent systems providing the same functionalities.
97 M. Lis, The authorities will receive the abilities. All information about the air passengers will come to the national base, in: www.money.pl' 20.11.2017,h. 17:45
99 T. Balcerzak, Safe flight, safe data's In : www.ec. europa.eu, 11-12-2017 17.45
100 Application Programming Interface- an application programming interface (API) is a set of a subroutine definitions, protocols, and tools for building application software.
101 Council Directive 2004/82/WE of 29 April 2004 on the obligation of carriers to communicate passenger data (O.J. L 261 6.8.2004, p. 24).
102 Charter of Fundamental Rights of the European Union (2012/c 326/02) O.J C 326/391 26.10.2012
103 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, ETS No. 108, Strasbourg, 29.01.1981; coe.int
104 European Convention on Human Rights as amended by Protocols 3, 5 i 8 and 2; echr.coe.int
105 Regulation EU Nr 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Members States of the Commission's exercise of implementing Power (O.J. L 55, 28.2.2011, p. 13).
106 The Protocol relating to the Status of Refugees, New York 31 January 1967 r. (Dz. U. 20 December 1991).
107 Council Decision 2009/371/JHA (Justice and Home Affairs Council) of 6 April 2009 establishing the European Police Office (Europol) (O.J L 121, 15.5.2009, p. 37).
108 Council Framework Decision 2006/960/JHA of 18 December 2006 on simplifying the Exchange of information and intelligence between law enforcement authorities of the Member States of the European Union (O.J. L 386, 29.12.2006, p. 89)
109 Directive 2004/38/WE of the European Parliament and of the Council of 29 April 2004 on the right of citizens of the Union and their family members to move and reside freely within the territory of the Member States amending Regulation (EEC) no 1612/68 and repealing Directives 64/221/EEC, 68/360/EEC, 72/194/EEC, 73/148/EEC, 75/34/EEC, 75/35/EEC, 90/364/EEC, 90/365/EEC i 93/96/EEC (O. J. L 158, 30.4.2004, p. 77).
110 'Push method'"-means the method whereby air carriers transfer PNR data listed in Annex I into the database of the authority requesting them;
111 Passenger name record data as far as collected by air carriers: PNR record locator, date of reservation/issue of ticket, Date(s) of intended travel, Name(s), Address and contact information (telephone number, e-mail address), all forms of payment information, including billing address, Complete travel itinerary for specific PNR, frequent flyer information, travel agency/travel agent, travel status of passenger, including confirmations, check-in status, no-show or go-show information, split/divided PNR information, General remarks (including all available information on unaccompanied minors under 18 years, such as name and gender of the minor, age, language(s) spoken, name and contact details of guardian on departure and relationship to the minor, name and contact details of guardian on arrival and relationship to the minor, departure and arrival agent) Ticketing field information, including ticket number, date of ticket issuance and one-way tickets, automated ticket fare quote fields, seat number and other seat information, code share information, all baggage information, Number and other names of travellers on the PNR Any advance passenger information (API) data collected (including the type, number, country of issuance and expiry date of any identity document, nationality, family name, given name, gender, date of birth, airline, flight number, departure date, arrival date, departure port, arrival port, departure time and arrival time). All historical changes to the PNR listed in numbers 1 to 18.
112 "To depersonalize" through masking out of data elements' means to render those data elements which could serve to identify directly the data subject invisible to a user.
113 Directive 95/46/WE of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23/11/1995, p. 31-50
117 The justification to the Act Project z 14-11-2017, MSWiA, p. 3
118 From The justification to the project: www. mswia.gov.pl
119 M. Lis, The controversy among the New base of the data's of Polish authorities, Panaptykon: is limiting the basic rights, in: www. money.pl; 2017-11-28 06.09
121 Col. phdeng. Dariusz Nowak - deputy director of the Institute of Law and the Defense Administration of the National Security Faculty of the War Studies University.
122 Article 47 of the Constitution of the Republic of Poland of 2.04.1997 (Journal of Laws of 1997, No. 78, item 483).
123 The duty of military service consists in: performing military exercises, performing preparatory service, and performing periodic military service by reserve soldiers and territorial military service.
124 Article 4 paragraph 2 and 2a of the Act of November 21, 1967 on the Universal Defense of the Republic of Poland (Journal of Laws of 2017, item 1430, as amended), sections III, IV, V and VII (further u.p.o.o.).
126 Electronic records do not include soldiers who perform professional military service on official positions in civil institutions.
127 Section 17 of the Ordinance of the Minister of National Defense from 31.10.2014 on military records of professional soldiers (Journal of Laws of 2014, item 1638).
128 http://rczpi.wp.mil.pl/pl/46.html[access: 6.12.2017].
129 http://rczpi.wp.mil.pl/pl/44.html[access: 6.12.2017].
130 http://rczpi.wp.mil.pl/pl/45.html[access: 6.12.2017].
131 http://rczpi.wp.mil.pl/pl/61.html[access: 6.12.2017].
132 Decision No. 44/MON of the Minister of National Defense of 15/02/2013 on the implementation of the networked military record system "SEW on-line" for operational use (Journal of Defense of the Ministry of National Defense 2013, item 50).
133 http://beo.wp.mil.pl/[access: 10.01.2018].
134 http://beo.wp.mil.pl/3.html[access: 10.01.2018].
135 http://beo.wp.mil.pl/5.html[access: 10.01.2018].
136 http://www.cyberdefence24.pl/592211,media-spolecznosciowe-zagrozeniem-dla-zolnierzy[access: 10.01.2018].
137 Judgment of the Supreme Administrative Court in Warsaw of 19 December 2011 (I OSK 1100/11).
138 Act of 5.10.2010 on the protection of classified information (Journal of Laws 2010, No. 182, item 1228, as amended).
139 Regulation of the Minister of National Defense of 19/12/2013 on specific tasks of protection proxies for the protection of classified information in organizational units subordinate to or supervised by the Minister of National Defense (Journal of Laws of 2016, item 1720).
140 Article 266 para. 1 of the Act of 6.06.1997 - Penal Code (Journal of Laws 1997, No. 88, item 553, as amended).
141 Agnieszka Brzostek PhD - lecturer at the Chair of Administration and Administrative Law, Institute of Law and Defence Administration, Faculty of National Security, War Studies University
142 Administrative Procedure Code Act of 14 June 1960 (Journal of Laws of 2017, item 1257, consolidated text).
143 Ruling of the Supreme Administrative Court of 6 December 2011, case file I OSK 268/11.
144 Ruling of the Administrative Court in Warsaw of 19 May 2016, case file I ACa 1056/15.
145 Article 51 of the Polish Constitution of 2 April 1997, Journal of Laws of 1997, No. 78, item 483.
146 Personal Data Protection Act of 29 August 1997, Journal of Laws of 2016, item 922.
147 Ruling of the Supreme Court of 11 February 2015, case file I CSK 868/14, Lex No. 1677121.
148 Article 7 clause 2 of the Personal Data Protection Act. See also Ruling of the Provincial Administrative Court in Warsaw of 12 July 2017, case file II SA/Wa 2221/16, Lex No. 2337509.
149 Article 23 clauses 1-5 of the Personal Data Protection Act.
150 J Barta, P Fajgielski, Markiewicz, Komentarz do art. 23 ustawy o ochronie danych osobowych, as at 1 July 2015.
151 Ruling of the Provincial Administrative Court in Warsaw of 12 July 2017, case file II SA/Wa 2221/16, Lex No. 2337509.
153 Ruling of the Supreme Administrative Court in Warsaw of 20 February 2013, case file I OSK 258/12, Lex No. 1356990.
155 Ruling of the Supreme Administrative Court in Warsaw of 10 January 2013, case file I OSK 2029/11, Lex No. 1341461.
158 Ruling of the Supreme Administrative Court in Warsaw of 10 January 2013, I OSK 2029/11, Lex No. 1341461.
159 EU OJ L95.281.31 as amended.
160 Ruling of the Supreme Administrative Court in Warsaw of 10 January 2013, I OSK 2029/11, Lex No. 1341461.
161 J Barta, P Fajgielski, Markiewicz, Komentarz do art. 24 ustawy o ochronie danych osobowych, op. cit.
162 Article 26 clause 1 of the Personal Data Protection Act
163 J. Barta, P. Fajgielski, Markiewicz, Komentarz do art. 26 ustawy o ochronie danych osobowych, as at 2015.07.01.
164 Article 26a clause 1 of the Personal Data Protection Act.
165 J. Barta, P. Fajgielski, Markiewicz, Komentarz do art. 26a ustawy o ochronie danych osobowych, op. cit.
166 Article 31 clause 1 of the Personal Data Protection Act
167 Ruling of the Supreme Administrative Court in Warsaw of 10 January 2013, I OSK 2029/11, Lex No. 1341461.
169 J Barta, P Fajgielski, Markiewicz, Komentarz do art. 32 ustawy o ochronie danych osobowych, op. cit.
171 Article 33 clause 1 of the Personal Data Protection Act.
172 Ruling of the Provincial Administrative Court in Warsaw of 14 July 2016, case file II SA/Wa 2080/15.
173 Article 34 of the Personal Data Protection Act.
174 J. Barta, P. Fajgielski, Markiewicz, Komentarz do art. 34 ustawy o ochronie danych osobowych, op. cit.
175 P. Litwiński, Ochrona danych osobowych w ogólnym postępowaniu administracyjnym, Warsaw 2009, page 238.
176 Article 35 clause 1 of the Personal Data Protection Act.
177 J Barta, P Fajgielski, Markiewicz, Komentarz do Article 35 ustawy o ochronie danych osobowych, op. cit. For more information on data processing and the request to stop data processing, see P Litwiński, op. cit.
178 P Litwiński, op. cit., page 243.
180 Monika Nowikowska PhD, lecturer at the War Studies University Faculty of National Defence, Institute of Law and Defence Administration, Department of Administration and Administrative Law.
181 Constitution of the Republic of Poland of 2 April 1997 (Journal of Laws No. 78, item 483 as amended).
182 M Safjan, Ochrona danych osobowych - granice autonomii i informacji, (in:) Ochrona danych osobowych, edited by M Wyrzykowski, Warsaw 1999, page 9.
183 M Polok, Bezpieczeństwo danych osobowych, Warsaw 2008, page 26.
184 K Karsznicki, Kryteria dostępu do informacji publicznej, Prokuratura i Prawo 2015, issue 11, page 112.
185 A Drozd, Ustawa o ochronie danych osobowych. Komentarz. Wzory pism i przepisy, Warsaw 2006, page 15.
186 Government Administration Audit Act of 15 July 2011 (Journal of Laws No. 185, item 1092).
187 Access to Public Information Act of 6 September 2001 (Journal of Laws of 2016, item 1764, as amended).
188 Ruling of the Supreme Administrative Court of 17 November 2000, II SA 1860/00, unpublished.
189 W Robaczyński, Postępowanie kontrolne, (in:) Komentarz do ustawy o Najwyższej Izbie Kontroli, E Jarzęcka-Siwik, T Liszcz, M Niezgódka-Medkova, W Robaczyński, Warsaw 2000, pages 166-167.
190 Bill of 12 December 2017
191 E.g. article 41 - Fundamental Principles of Performance Auditing (ISSAI 300).
192 P Szustakiewicz, Podstawy prawne udzielania informacji prasie przez Najwyższą Izbę Kontroli, Kontrola Państwowa 1999, issue 6, page 22.
193 See: Supreme Administrative Court's ruling of 8 November 2002, II SA 181/2002, unpublished; ruling of the Provincial Administrative Court in Lodz of 10 January 2008, II SAB/Łd 29/07, Lex No. 505423.
194 M Nowikowska, Wystąpienie pokontrolne jako informacja jawnoźródłowa białego wywiadu, (in:) Bezpieczeństwo informacyjne. Aspekty prawno-administracyjne, edited by W Kitler, J Taczkowska-Olszewska, Warsaw 2017, pages 207-221.
195 J Ruszewski, P Sitniewski, Ustawa o dostępie do informacji publicznej w orzecznictwie, page 28, published on www.jawnosc.pl.
196 IGPDP's decision of January 2017 z 01.2007, no case number, IGPDP's decision of 15 December 2013, DIS/DEC-158/13/9658.
197 Ruling of the Constitutional Tribunal of 19 June 2002, K11/2002,
198 A Drozd, Ustawa o ochronie danych osobowych. Komentarz. Wzory pism i przepisy, Warsaw 2006, page 15.
199 I Szostek, Prawo do informacji publicznej a ochrona danych osobowych, (in:) Bezpieczeństwo informacyjne. Aspekty prawno-administracyjne, edited by W Kitler, J Taczkowska-Olszewska, Warsaw 2017, page 270.
200 A Lach, Kradzież tożsamości, Prokuratura i Prawo 2012, issue 3, pages 29-30. Cf. A Murray, Information Technology Law. Law and Society. Third Edition, Oxford University Press, pages 429-430.
201 Australian Centre for Policing Research and the Australian Transaction Reports and Analysis Centre, Standardisation of Definitions of Identity Crime Terms: A Step Towards Consistency, Report Series No. 145.3, Australian Centre for Policing Research 2006, pages 9-10.
202 For more details see J Clough, Principles of Cybercrime. Second edition, Cambridge University Press 2015, pages 218-219, 238-239; I Walden, Computer Crimes and Digital Investigationpage Second edition, Oxford University Press 2016, pages 114-115.
203 Council of Europe Convention on Cybercrime signed in Budapest on 23 November 2001 (Journal of Laws of 2015, item 728). It should be noted, however, that the Convention defines an offence, a form of which can be deemed to include identity theft, namely the so-called computer related forgery understood as "the input, alteration, deletion or suppression of computer data resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible" (cf. M Summer, C Schwarzenegger, G Ege, F Young, The Emergence of EU Criminal Law, Oxford and Portland, Oregon 2014, page 246).
204 Council Framework Decision 2005/222/JHA on attacks against information systems (OJ L 69 of 16 March 2005, page 67).
205 Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ L 218 of 14 August 2013, page 8).
206 Criminal Code Act of 6 June 1997 (consolidated text: Journal of Laws of 2017, item 2204, as amended), hereinafter as the Criminal Code.
207 Act of 25 February 2011 changing the Criminal Code Act (Journal of Laws No. 72, item 381.), hereinafter the Amendment Act 2011.
208 Commission proposal for a directive of the European Parliament and of the Council on attacks against information systems and replacing Council Framework Decision 2005/222/JHA of 30 September 2010 (COM(2010) 517 final version).
209 It provides a penalty for up to three years of imprisonment for the persistent harassment of another person or such a person's next of kin, which makes such a person justified sense of threat or signicicantly violates the person's privacy.
210 M Budyn-Kulik, Komentarz do art. 190a k.k.[in:] Kodeks karny. Komentarz do zmian wprowadzonych ustawą z 25 lutego 2011 r. o zmianie ustawy Kodeks karny, Lex/el., item 50; cf. A Lach, Karnoprawna reakcja na zjawisko kradzieży tożsamości, Warsaw 2015, pages 90-91.
211 Reasoning of the Amendment Act 2011, Parliamentary Print No. 3553 of 27 October 2010, page 10.
213 The idea of including in the Personal Data Protection Act of 29 August 1997 (consolidated text:Journal of Laws of 2016, item 922, as amended; hereinafter the PDPA) a provision to criminalise cyberstalking was rightly rejected, which the proponents justified by pointing out that "the designed provision relates to a general offence that can be committed by everyone rather than to most of the criminal ones stipulated in the Act, which are personal in nature and, as a rule, involve the penalisation of acts committed by data file administrators and personal data processorpage. In addition, protection against such misdemeanours is guaranteed, above all, by ensuring the proper movement of the data records maintained under the said statutory regulation (Reasoning of the Amendment Act 2011, page 10)".
214 M Budyn-Kulik, Komentarz do art. 190a k.k..., item 54;
215 M Budyn-Kulik, Komentarz do art. 190a k.k..., item 54; A Lach, Karnoprawna reakcja..., page 89
216 M Budyn-Kulik, Komentarz do art. 190a k.k...., items 54-55.
217 M Mozgawa [in:] System Prawa Karnego. Tom 10. Przestępstwa przeciwko dobrom indywidualnym, edited by J Warylewski, Warsaw 2016, page 468.
219 Słownik języka polskiego. Volume III, edited by M Szymczak, Warsaw 1995, page 719.
220 A Zoll [in:] Kodeks karny. Część szczególna. Tom II. Komentarz do art. 117-277 k.k., edited by A Zoll, Warsaw 2013, page 607.
221 Słownik języka polskiego..., page 752.
222 Ruling of the Supreme Courtof 7 March 2003 (case No. I CKN 100/01, unpublished)
223 J Barta, Markiewicz, Wokół prawa do wizerunku, Warsaw 2002, page 12; J Sieńczyło-Chlabicz, Rozpowszechnianie wizerunku osób powszechnie znanych, Przegląd Prawa Handlowego 2003, issue 9, page 40 J Panowicz-Lipska [in:] Kodeks cywilny. Tom I. Komentarz. Art. 1-44911, edited by J Gutowski, Warsaw 2016, pages 117-118; A Sakowicz, M Królikowski [in:] Kodeks karny. Część szczególna. Tom I. Komentarz do artykułów 117-221, edited by M Królikowski, R Zawłocki, Warsaw 2017, page 591.
224 Ruling of the Supreme Court of 20 May 2004 II CK 330/03
225 Sobolewski [in:] Kodeks cywilny. Komentarz. Tom I. Przepisy wprowadzające. Część ogólna. Własność i inne prawa rzeczowe, edited by K Osajda, Warsaw 2013, page 400. Cf. T Grzeszak [in:] System Prawa Prywatnego. T. 13. Prawo autorskie, edited by J Barta, Warsaw 2013, pages 786-787.
226 Civil Code Act of 23 April 1964 (consolidated text: Journal of Laws of 2017, item 459, as amended).
227 Consolidated text: Journal of Laws of 2016, item 666, as amended.
228 J Panowicz-Lipska [in:] Kodeks cywilny..., page 118. For more details see T Grzeszak [in:] System Prawa Prywatnego..., pages 783-784, A Matlak, Cywilnoprawna ochrona wizerunku, Kwartalnik Prawa Prywatnego 2004, issue 2, page 320.
229 Similar to A Sakowicz, M Królikowski [in:] Kodeks karny..., page 591 and, as it seems, M Mozgawa [in:] System Prawa Karnego..., page 469 and M Budyn-Kulik [in:] M Budyn-Kulik, Komentarz do art. 190a k.k..., pkt 60-62; contrary to P Furman [in:] P Furman, Próba analizy konstrukcji ustawowej przestępstwa uporczywego nękania z art. 190a k.k. Zagadnienia wybrane, Czasopismo Prawa Karnego i Nauk Penalnych 2012, issue 3, page 71), who narrows the subject of protection down only to imagein the second meaning, i.e. the established imageof a person.
230 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119 of 27 April 2016, page 1), hereinafter referred to as the GDPR.
231 J Barta, P Fajgielski, Markiewicz, Ochrona danych..., pages 338-339; P Barta, P Litwiński, Ustawa o ochronie danych osobowych. Komentarz, 2016, page 77; A Drozd, Ustawa o ochronie danych osobowych. Komentarz. Wzory pism i przepisy, Warsaw 2007, page 41), A Mednis, Ustawa o ochronie danych osobowych. Komentarz, Warsaw 2002, pages 21-22.
232 P Barta, P Litwiński, Ustawa o ochronie..., page 77. Also A Mednis, Ustawa o ochronie..., page 21.
233 J Barta, P Fajgielski, R Markiewicz, Ochrona danych osobowych. Komentarz, Warsaw 2011, page 339; J Kosonoga [in:] R A Stefański (editor), Kodeks karny. Komentarz, Warsaw 2015, page 1094.
234 J Barta, P Fajgielski, R Markiewicz, Ochrona danych..., page 339, G Sibiga, Postępowanie w sprawach ochrony danych osobowych, Warsaw 2003, page 33.
235 M Krzysztofek, Ochrona danych osobowych w Unii Europejskiej po reformie. Komentarz do rozporządzenia Parlamentu Europejskiego i Rady (UE) 2016/679, Warsaw 2016, page 41
236 P Barta, P Litwiński, Ustawa o ochronie..., pages 78-79.
237 Information on a dead person can be the personal data of a living person, e.g. the name of a deceased parent. For more details see e.g. J Barta, P Fajgielski, Markiewicz, Ochrona danych..., pages 344-345; s. P Barta, P Litwiński, Ustawa o ochronie..., page 79.
238 As pointed out in the literature, information on a private individual can be derived from information on a body corporate, therefore it happens that the boundaries between information on a private individual and that on a body corporate become vague (J Barta, P Fajgielski, R Markiewicz, Ochrona danych..., page 340); also A Lach, Prawnokarna reakcja..., page 97; M Mozgawa [in:] M Mozgawa (editor), Kodeks karny. Komentarz, Warsaw 2015, page 509).
239 A Zoll, Kodeks karny..., page 607, M Mozgawa, System Prawa Karnego..., page 470.
240 A Szpunar, O zadośćuczynieniu z tytułu uszkodzenia ciała, Studia Iuridica 1994, volume XXI, page 171.
241 Cf. F Radoniewicz, Dochodzenie roszczeń cywilnych w polskim postępowaniu karnym - analiza obecnej regulacji na tle wcześniejszych rozwiązań [in:] Ex contractu, ex delicto - z dziejów prawa zobowiązań, edited by M Mikuła, K Stolarski, Cracow 2012; For more details see e.g. A Brzozowski, W Czachórski, M Safjan, E Skowrońska-Bocian, Zobowiązania. Zarys wykładu, Warsaw 2009, pages 84-93.
242 M Mozgawa [in:] System Prawa Karnego..., pages 470-471. As stressed by A Lach, pursuant to article 190a § 2 of the Criminal Code no criminal liability can be imposed on a perpetrator who uses another person's identity to hide the perpetrator's own one or cause damage to a third party (i.e. other than that whose personal data the perpetrator uses) or who acts only to gain a financial advantage (A Lach, Karnoprawna reakcja..., page 92).
243 M Mozgawa [in:] System Prawa Karnego..., pages 470-471.
244 Consolidated text: Journal of Laws of 2016, item 1541, as amended.
245 Consolidated text: Journal of Laws of 2016, item 1654, as amended.
246 M Mozgawa [in:] System Prawa Karnego..., page 471.
247 M Budyn-Kulik, Komentarz do art. 190a k.k., pkt 59. Similarly A Lach, Karnoprawna reakcja..., page 99.
248 An opposite view in this respect was taken by A Lach (A Lach, Karnoprawna reakcja..., page 101).
249 M Mozgawa [in:] System Prawa Karnego..., pages 471-472.
250 Dr Piotr Milik - assistant professor at the Institute of Law and Defense Administration, National Security Department, Academy of Military Studies.
251 See R. Zięba, Funkcjonowanie paneuropejskiego mechanizmu bezpieczeństwa KBWE/OBWE, "Studia Europejskie" 1998, nr 3, s. 85.
252 FSC.JOUR/314, the material available at the Internet address: http://www.osce.org/fsc/20783.
253 Article 27a of the Act of November 29, 2000 on foreign trade in goods, technologies and services of strategic importance for the security of the state, and for the maintenance of international peace and security: "1. The entity exporting arms is obliged to hand over to the minister competent for foreign affairs an annual report on the actual implementation of this export, by the end of April next year. 2. The report referred to in para. 1, includes in particular:
1) the name, quantity and value of the arms being exported;2) control category;3) numbers of used permits;4) end user's country ".
254 Journal of Laws from 2004, No. 229, item 2315.
255 Resolution of the General Assembly No. 46 / 36L of December 6, 1991, A / RES / 46/36. Provisions regarding the creation of the Conventional Weapons Register can be found in item "L" of the resolution entitled: Transparency in Armaments.
256 www.msz.gov.pl/pl/polityka_zagraniczna/polityka_bezpieczenstwa/kontrola_eksportu/transparencja/transparencja;jsessionid=36A51C201162AEB978C304DF7244F01F.cmsap1p
257 For example, during the civil war in Spain in the 1930s, despite the self-imposed commitment to the embargo on the supply of weapons to this country, Poland secretly carried out supplies of weapons to both the Republican government in Madrid (Poland was the third country in terms of the number of weapons delivered. First and the second were the Soviet Union and France), as well as for the forces of General Francisco Franco. In addition, in September 1936, Poland became a member of the International Non-intervention Committee in Spain, whereby in the same month the vessels carrying the military equipment to Spain regularly left polish military port of Westerplatte. See. A. Fedorowicz, Niech żyje wojna, "Polityka" No. 48, 23.11.2016, pp. 62-64.
258 The Act of August 5, 2010, on the Protection of Classified Information (Journal of Laws from 2010, No. 182, item 1228).
259 See S. Hoc, Ustawa o ochronie informacji niejawnych. Komentarz, Warszawa 2010, p. 84.
260 The Act of June 6, 1997 - Code of Criminal Procedure (Journal of Laws of 1997 No. 89, item 555).
261 The Act of November 17, 1964 - Code of Civil Procedure (Journal of Laws 1964 No. 43, item 296).
262 The Act of June 14, 1960, The Code of Administrative Procedure (Journal of Laws 1960 No. 30, item 168).
263 The Act of 30 August 2002, Law on Proceedings Before Administrative Courts (Journal of Laws of 2002 No. 153 item 1270).
264 The Act of August 29, 1997 - Tax Ordinance (Journal of Law 1997 No. 137, item 926).
265 The Act of 25 June 2015 on the Constitutional Tribunal (Journal of Laws 2015 item 1064).
266 The Act of 26 March 1982 on the Tribunal of State (Journal of Laws 1982 No. 11, item 84).
267 The Act of 21 January 1999 on the Congress Investigative Committee (Journal of Laws of 1999, No. 35, item 321).
268 The Act of 6 September 2001 on Access to Public Information (Journal of Law 2001 No. 112, item 1198).
269 The Act of December 15, 2000 on the Trade Inspection (Journal of Laws 2001 No. 4, item 25).
270 The Act of 16 July 2004 Telecommunications Law (Journal of Laws 2004 No. 171 item 1800).
271 The Act of February 16, 2007 on Competition and Consumer Protection (Journal of Laws 2007 No. 50, item 331).
272 So on this subject R Padrak, Secret of the company in the control proceedings of the Supreme Audit Office, "State Audit" 2007, No. 4, p. 22.
273 The Act of 29 January 2004 on Public Procurement Law (Journal of Laws 2004 No. 19 item 177).
274 Regulation of the Council of Ministers of February 12, 2013 on the Procedure for the Assessment of the Existence of a Fundamental State Security Interest (Journal of Laws 2013 item 233).
275 The decision 92/MON on the detailed procedure for the qualification of orders and the assessment of the existence of a fundamental security interest of state (Official Journal of the Minister of National Defense of March 25, 2014, item 101).
276 The decision 118/MON on the Rules and Procedure for Granting National Defense Orders in the Field of Defense and National Security (Official Journal of the Minister of National Defense of 25 April 2013, item 119).