Based on the Polish Supreme Administrative Court's judgment, data controllers will be obliged to delete the personal data of specific data subjects from back-up copies when the "original" data is deleted from the relevant data filing system.

Background

In 2005, a bank S ("Bank") offered Mr X a credit card. In order to process the credit card application, Bank acquired from Mr X his first and last name, birth date, mother's maiden name, identification card number, national identification number (PESEL), passport number, home address and information about Mr X's financial situation. Based on these personal data, Bank performed a credit scoring exercise. The outcome was that Mr X is too old to qualify as a credit card holder.

After receiving this negative decision, Mr X asked Bank to return the forms with his personal data. Bank rejected his request and informed him that his personal data was deleted from the IT system. Mr X was not satisfied and complained to the Polish Data Protection Authority ("GIODO"). Based on Mr X's complaint GIODO started administrative proceedings in order to establish the circumstances of the case.

GIODO'S decision

During the proceedings Bank provided explanations regarding the status of Mr X's personal data and stated that (1) Mr X's personal data were deleted from the data filing system and (2) Bank did not process Mr X's personal data in the IT system. Bank also informed the GIODO that it was storing Mr X's personal data in back-up copies for archiving purposes and its operational security.

Bank claimed that it was obliged to maintain back-up copies in accordance with Recommendation D issued by the Polish Financial Supervision Authority for operational security of Bank.

Bank also claimed that the aim of the back-up copies was to make a copy of the IT system and all data filing systems at the date of making such copy. Therefore, Bank argued that it Bank could not change or delete back-up copies – they are protected from modifications and destructions.

Taking the above into consideration, GIODO decided that Bank was obliged to delete Mr X's personal data from the back-up copies.

GIODO provided the following explanation for its decision:

  1. Personal data were collected for the purpose of (i) Mr X's credit scoring and (ii) concluding a credit agreement with him. Processing was therefore necessary to take actions prior to entering into a contract.
  2. No credit agreement was entered into and Bank did not collect personal data for archiving purposes and its operational security. Bank could not further process those data on the basis of Bank's legitimate interests. The GIODO held that it was unlawful to process personal data for purposes other than those for which the data were collected.
  3. GIODO did not acknowledge the Bank's argument based on Recommendation D, stating that even though Recommendation D was issued by the Polish Financial Supervision Authority, it did not form part of common law and therefore was not binding.
  4. As there was no further legitimate ground for processing Mr X's personal data. Bank should have deleted Mr X's personal data from its IT system and back-up copies.
  5. GIODO stated that personal data processing in back-up copies in a situation where the data filing system no longer contains the data is also contrary to the purpose for which back-up copies are created. Back-up copies should reflect the up-to-date state of the relevant data filing system.
  6. GIODO guided data controllers that IT systems are just tools for personal data processing. IT systems should be construed in a way which allows data controllers to process personal data in compliance with the relevant personal data protection rules. Thus, IT systems should be compliant with the relevant legal provisions.

Court judgments

  1. The Administrative Court upheld GIODO's decision. The Court stated that the idea of making back-up copies is to secure the processed personal data against any loss, damage or destruction. For this reason, if personal data are no longer in the relevant data filing system, there is no legitimate ground for keeping it in back-up copies.
  2. The Polish Supreme Administrative Court dismissed Bank's appeal. The Court emphasised that when there is no legitimate ground for personal data processing, personal data should be deleted from the relevant data filing system. According to the Polish Data Protection Act a data filing system is any set of personal data which is available based on certain criteria even if it is functionally divided. We should consider data filing systems and back-up copies as a one functionally divided data filing system. In such a situation deleting personal data from a data filing system means deleting it from both the data filing system and back-up copies.

Conclusions

  1. Based on the Polish Supreme Administrative Court ruling, all data controllers are obliged to delete personal data from their data filing system including back-up copies when there are no legitimate grounds for personal data processing.
  2. When the "original" personal data are deleted, processing personal data in back-up copies becomes unlawful.
  3. According to the Polish Data Protection Act, processing without a legitimate basis constitutes an offence. Data controllers may face criminal liability consisting of either a fine or up to 2 years' imprisonment. Every data controller may be required by GIODO's decision to delete specific personal data from back-up copies.
  4. GIODO decided that Bank could legitimately process the data for the purpose they were originally collected for. If they were originally collected for entering into a credit contract, not for archiving and Bank's operational security, there was no other ground for processing personal data in back-up copies.
  5. Personal data may be processed in back-up copies as long as there is at least one legitimate ground for personal data processing. Personal data may be processed for the purpose for which they were originally collected or for any other legitimate purpose provided that that purpose is not contrary to the original purpose of collection.
  6. In our view, GIODO should have examined whether Bank was processing the personal data in back-up copies for the purpose of a legitimate interest of the data controller, e.g. if Mr X was likely to make a complaint to the Polish Financial Supervision Authority for unlawful refusal of granting him a credit.
  7. Notwithstanding the above, both courts confirmed that regardless of any technical difficulties specific personal data must be deleted from back-up copies (e.g. personal data of any specific person).
  8. For controllers, this ruling seems to be difficult and expensive to implement. It may result in making/updating back-up copies on a daily basis. It is also uncertain whether a data controller may process personal data in the data filing system and/or back-up copies once the purpose for which those data were collected has ended but there are other lawful purposes not contrary to the initial one that still apply.