Abstract
The author of the article set herself the goal to interpret Article 6d of the Act of 26 April 2007 on crisis management, and assess whether the adopted solution fulfils the legislator’s assumptions described in the explanatory memorandum to the draft of the amending act. The main subject of analysis is Article 6d(1) of the Crisis Management Act of 26 April 2007, according to which, a critical infrastructure operator may demand that an employee or prospective employee whose position allows access to information on the security of a critical infrastructure facility submit information about any criminal record, including whether their personal data is kept in the National Criminal Register. According to the author, it is important that this provision should be interpreted in accordance with Article 10 of the General Data Protection Regulation, which sets the framework for the legislator in terms of the way the rules on the processing of data concerning criminal convictions and offences are implemented in the legal system. The interpretation of Article 6d(1) of the Crisis Management Act, in the context of Article 10 of the GDPR, should take into account the requirement imposed on Member States’ legal systems to provide for adequate safeguards for the rights and freedoms of data subjects regarding authorisation to process data concerning criminal convictions and offences. The author provides a detailed analysis of what constitutes information on the security of a critical infrastructure facility, as this concept is not defined by the legislator, while it significantly affects the scope of the provision and is crucial from the point of view of its application in practice. By analysing individual elements of this provision, the author concludes that a critical infrastructure operator will be able to ask an employee or prospective employee whether they have been convicted in the past and whether their personal data is in the National Criminal Register. However, the operator may only obtain from such a person a positive or negative response, i.e. that they have or have not been convicted, and such information does not meet the legislator’s legitimate aim of giving infrastructure operators a key tool to verify credibility and reliability of a person who possesses important information from the point of view of state security. The analysis also finds that the provision does not address the consequences of a key infrastructure operator obtaining such information; for example, whether it may be the basis for changing the scope of an employee’s duties or terminating their employment contract, or whether it may be the reason for refusing employment.