Poland: Does The President Of The PDPO Have Jurisdiction To Examine Complaints Regarding The Processing Of Personal Data By Parliamentary Investigative Committee?

In the first half of March, the President of the Personal Data Protection Authority (PDPA) responded to the Minister for European Union Affairs on whether the judgment of the Court of Justice of the European Union (CJEU) of 16 January 2024 in Case C-33/22 Österreichische Datenschutzbehörde will require relevant amendments to Polish law.

The facts of the aforementioned judgment were as follows. In 2018, an investigative committee was set up in Austria to investigate the possibility of political pressure on the Bundesamt für Verfassungsschutz und Terrorismusbekämpfung, which was replaced on 1 December 2021 by the Direktion Staatsschutz und Nachrichtendienst (Directorate for State Security and Intelligence Services, Austria). In the course of its work, the investigation committee interviewed an officer of the Federal Police brigade for combating crime on public roads as a witness. Despite the witness's request to anonymise his data, the committee disclosed it. The witness therefore filed a complaint to the Austrian national data protection authority (the "Authority") regarding the disclosure of his data.

The Authority dismissed the complaint on the grounds that, according to the principle of the separation of powers, the executive (i.e. the Authority) cannot exercise control over the legislative authority, under which the investigation committee was subordinate.

The witness then challenged the Authority's decisions before the Federal Administrative Court, which upheld the complaint and cancelled the Authority's decision, indicating that the Authority was legally competent to hear the complaint under Article 77 of the GDPR. The Authority brought an action against this ruling before the Administrative Tribunal, which asked the CJEU, inter alia, what entity has the competence to supervise the application of the GDPR by an investigation committee set up by the parliament of a Member State. In the judgment, the CJEU held that where a Member State has chosen under the GDPR to set up a single supervisory authority, but without conferring on it the competence to supervise the application of the GDPR by an investigation committee set up by the parliament of the Member State in the exercise of its powers of executive scrutiny, the provisions in question directly confer on that authority the competence to hear complaints about the processing of personal data by the aforementioned investigation committee.

Therefore, the Polish PDPA stated that, in the light of the CJEU judgment in question, it is to be assumed that the GDPR explicitly grants the PDPA President the jurisdiction to hear complaints regarding the processing of personal data by the investigation committee.

In addition, the PDPA highlighted that there is no need to amend the law in this regard. However, it will be necessary to take the insights provided by the above judgment into account when interpreting the provisions of the GDPR.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.