On 25 May 2018, the General Data Protection Regulation (GDPR) entered into force and became directly applicable in Poland and the other Member States of the European Union. The GDPR has a significant impact on the discovery and disclosure of ESI, whenever this information (wholly or even partly) relates to an identified or identifiable natural person. In such cases, the rules for processing personal data set out in the GDPR apply and must be observed by any person or entity that determines (alone or jointly with others) the purposes and means of the processing of personal data (i.e., the data controller).
A particularly significant issue related to personal data processing is the necessity to identify a valid legal basis for processing activities, such as storing (including in electronic form) and sharing (granting access to) personal data. In accordance with Article 6.1 of the GDPR, processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child.
The defined catalogue of legal bases for personal data processing requires data controllers, in circumstances regarding discovery or disclosure of ESI comprising personal data, to search for and choose an applicable option. Generally, in court proceedings, the reasons set out in points (c) and (f), above, are applicable.
The reason in point (c) may be relied upon by the data controller if a specific provision of law requires a person or entity to disclose certain categories of personally identifiable information for a specific purpose. Under Polish law, an example of this is a list of required information to be included in admissible pleadings (Article 126 of the CPC). However, owing to the versatile nature of potential evidence in both criminal and civil cases, it seems unlikely that a provision of law will be sufficiently precise as to the scope and purpose of personal data to be disclosed for a controller to be able to rely upon it.
Consequently, the reason in point (f) must be considered by a controller wishing (or required to) disclose personal data or obtain it in the course of (or in relation to) legal proceedings. The existence of a legitimate interest of a controller (or a third party) needs to be assessed, taking into account various factors. Recital 47 of the GDPR indicates that the legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. The Recital specifies that the existence of a legitimate interest would need careful assessment, including of whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. Because of that, the controller – when collecting personal data – must be diligent when editing its data processing information clauses, required by the GDPR, and ensure that the potential disclosure of personal data within relevant proceedings is listed as a potential form of processing of an individual's data. The Recital goes further to indicate that interests and fundamental rights of the data subject could override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.
According to the GDPR, processing of personal data strictly necessary for the purposes of preventing fraud constitutes a legitimate interest of the data controller concerned. In any case, a particular disclosure will require the controller to perform a legitimate interest test and, according to its outcome, disclose or refrain from disclosing the data, at least in a form that identifies the data subject.
Another issue is that, should a controller decide to anonymise the data it is submitting in proceedings, the information could be dismissed by the court as altered and not admissible as evidence.
The GDPR also includes a separate list of circumstances allowing for lawful processing of certain categories of personal data, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (for the purpose of uniquely identifying a natural person), data concerning health, or data concerning a natural person's sex life or sexual orientation. One of the admissible circumstances is when processing is necessary for the establishment, exercise or defence of legal claims (Article 9.2(f)).
As an EU Regulation, the GDPR does not restrict transfers of data within the European Union. However, transferring personal data outside the European Union (or, more specifically, the European Economic Area (EEA)) is restricted, unless specific conditions are met. These conditions depend on the level of risk posed by different circumstances accompanying a given transfer. Therefore, a transfer of personal data to a third country or an international organisation may take place if the European Commission (the Commission) has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. This type of transfer does not require specific authorisation (Article 45 of the GDPR).
In the absence of an adequacy decision from the Commission, a controller may transfer personal data to a third country or an international organisation only if it has provided appropriate safeguards, and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available (Article 46.1). The appropriate safeguards may constitute:
- a legally binding and enforceable instrument between public authorities or bodies;
- binding corporate rules (within a group of companies);
- standard data protection clauses adopted by the Commission in accordance with the examination procedure;
- standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure;
- an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
- an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.
If there is no adequacy decision from the Commission, nor any appropriate safeguards in place, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only under strict conditions, one of which is that the transfer is necessary for the establishment, exercise or defence of legal claims (Article 49.1(e) of the GDPR). This circumstance, however, must be sufficiently justified and documented by the transferor.
According to Article 48 of the GDPR, any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the European Union or a Member State, without prejudice to the other admissible grounds for transfer, described above.