Abstract
The start of the application of the GDPR forced the national legislator to amend the provisions of the Electronic Service Delivery Act and the Telecommunications Act.
With a view to direct application of the GDPR Art. 16–17, Art. 19(1)–(2) and 19(4)–(5) as well as Art. 20–22 of the Electronic Service Delivery Act were repealed. The legality of personal data processing in the situations so far described in those provisions is now assessed according to the relevant provisions of the GDPR.
Art. 18 has been left unamended. Insofar as leaving the existing provisions of sections 5 and 6 of this article is not controversial as they constitute implementation of Directive 2002/58, i.e. a sectoral regulation to the GDPR, no repealing of sections 1 to 4 should be assessed otherwise. Those provisions are autonomous, i.e. they were adopted by the Polish legislation apart from any European regulations. Therefore, it seems that upon coming into force of the GDPR they should be removed and the processing of personal data of service recipients should be governed exclusively by the rules laid down in the General Regulation. This follows from the principle of primacy of EU law established in the case law of the CJEU.
In accordance with the new wording of Art. 161.2 of the Telecommunications Act, adopted in the harmonisation act, the processing of personal data – other than those enumerated in Art. 159(1)(2)–(5) of the Act – of users who are natural persons takes place under personal data protection provisions, i.e. the provisions of the GDPR and the national provisions enacted as a supplement thereto. The change introduced in Art. 161(2) of the Telecommunications Act has been aimed to make it absolutely clear when the processing of user personal data is governed by the provisions of the Telecommunications Act concerning the processing of information protected under telecommunications confidentiality and when by the personal data protection provisions (GDPR). In accordance with the adopted solution the provisions of the Telecommunications Act govern the processing of data specified in its Art. 159(1)(2)–(5) (information protected under telecommunications confidentiality), as well as to the extent in which they concern natural persons and may be classified as personal data within the meanings of the GDPR. Personal data - other than those specified in Art. 159(1)(2)–(5) of the Telecommunications Law – of user being natural persons are processed under the personal data protection provisions.
In the course of work on the amendment of the Telecommunications Act the legislator eventually resigned from repealing its Art. 161(3), which reads as follows: “Apart from the data referred to in section 2, providers of publicly available telecommunications services may, upon the consent of a user being a natural person, process other data of that user in connection with the service provided, in particular their bank account number or payment card number, as well as contact phone numbers.” This gives rise to significant interpretational controversies as after the last amendment Art. 161(2) lacks the listing of the categories of data referred to in Art. 161(3) of the Act. In this manner, it is impossible to establish the range of data which could be processed under the consent – section 3 refers to “data other than those specified in section 2”, while amended section 2 no longer provides for – unlike previously – a closed catalogue of data. This constitutes a substantial obstacle for conducting business operations by the entities to which the provisions of the Telecommunications Act apply. Doubts are aroused also by the indication in Art. 161(3) of the Telecommunications Act of the consent as the sole prerequisite legitimising the processing of the categories of data specified therein. In this case it should be admissible to process personal data under all prerequisites specified in Art. 6 of the GDPR, including the prerequisite of the legitimate interests (Art. 6(1)(f). The introduction of this restrictions arouses doubts from the viewpoint of the principle of primacy of EU law.
Key words: GDPR, electronic telecommunications services, Electronic Service Delivery Act, Telecommunications Act
Słowa kluczowe: RODO, usługi łączności elektronicznej, ustawa o świadczeniu usług drogą elektroniczną, prawo telekomunikacyjne