In light of the above, it is worth mentioning, first and foremost, a recent judgment of the Supreme Administrative Court, in which it held that the content of a number plate does not constitute data relating to an individual’s privacy. This follows on from an earlier judgment of the Supreme Administrative Court, which indicated that a car’s registration number is not subject to protection under the right to privacy, as it identifies the car and not the person. Despite the consistent position in case law, this is not so obvious and is not shared by both legal scholars and data protection authorities. According to the position of the President of the Personal Data Protection Office (UODO), as set out, for example, in the aforementioned 2022 judgment, but also in other cases, the data contained in number plates constitutes personal data within the meaning of the law and is subject to protection under the GDPR. This view is also shared by the ICO, which points out that, amongst other things, a vehicle registration number may constitute personal data, as it can be used to identify a natural person.
There is also controversy regarding whether a telephone number falls within the definition of personal data. On the one hand, the digits comprising a telephone number do not in themselves meet the definition of personal data; on the other hand, however, the use of a telephone number enables us to contact that person. In the view of GIODO, a telephone number did fall within the definition of personal data. The Provincial Administrative Court in Warsaw took the opposite view in its judgment of 13 April 2021, in which it stated that “a telephone number does not allow for the identification of a specific person. It can only serve as a basis for taking specific steps to identify the holder of the number – the subscriber or the person who actually uses the number.” Despite the divergence of views in legal doctrine regarding the classification of a telephone number as personal data, the majority of these views nevertheless indicate that the ability to identify a natural person should refer to determining the identity of a specific natural person on the basis of information held or potentially obtainable, rather than to the mere act of seeking to establish information constituting personal data.
Recently, consideration has also been given to whether the email address of a company’s CEO, containing his first name or surname, falls within the scope of the concept of personal data. Both the President of the Personal Data Protection Office (UODO) and the Provincial Administrative Court in Warsaw have adopted the same position on this matter, stating that since the email addressof a member of a body acting on behalf of a legal person is linked to the existence of that legal person and is used to contact external parties, then in such a situation, a personalised email address cannot be regarded as data identifying a natural person, as it is used for the activities of the legal person. Legal doctrine takes a different view, pointing out that since a personalised email address identifies a natural person and is automatically processed, the GDPR should, in principle, apply to it, unless exceptions are provided for in this regard. The Article 29 Working Party also presented its position, stating that when assessing whether an email address used in the course of business activities falls within the concept of personal data, criteria relating to content, purpose or effect must be taken into account. If taking these into account allows the information relating to a natural person to be recognised, it should be considered personal data. However**,** in the aforementioned case, the authority and the court, without taking the above criteria into account, jointly concluded that since the email address belonged to a person holding a specific position within the company, it is automatically linked to the company’s activities and therefore does not fall within the scope of protection provided for in the GDPR.
In view of the above, it should be noted that despite the GDPR having been in force in the Polish legal system for several years, the classification of certain information as personal data remains ambiguous and is determined on a case-by-case basis.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ (EU) L 119, 2016, p. 1, as amended).
Supreme Administrative Court.
Judgment of the Supreme Administrative Court of 3 November 2022, ref. no. III OSK 1522/21.
Judgment of the Supreme Administrative Court of 14 May 2021, ref. no. III OSK 1466/21.
Office for Personal Data Protection.
Inspector General for Personal Data Protection – the personal data protection authority in Poland from 1997 to 2018.
Judgment of the Provincial Administrative Court in Warsaw of 13 April 2021, II SA/Wa 1898/20, LEX No. 3185223.
Judgment of the Provincial Administrative Court in Warsaw of 19 September 2022, II SA/Wa 559/22, LEX No. 3439957.
Opinion 4/2007 on the concept of personal data.
She specializes in civil, commercial and business law. In the corporate and energy department, her activities are mainly based on providing corporate services to companies, reviewing and preparing commercial contracts, drafting litigation and non-litigation pleadings and preparing analyses and legal opinions, particularly in the sphere of business law and energy law. She also has professional experience in administrative and civil proceedings, which she gained in Warsaw law firms. She supports the Firm's…
View profile →HWW lawyers offer consultations in Warsaw and online.
Do not miss the next analysis
Key legal changes and their business impact, once a month to your inbox.
By subscribing you accept the privacy policy. Unsubscribe with one click.
