Draft Act on corporate governance in companies with State Treasury participation - opinion
Publishing personal data on the persons managing companies with State Treasury participation to the extent proposed in the draft Act in a single central and public register is a solution that goes too far. Performing a privacy test for the project, or, as required by the GDPR, a data protection impact assessment, would allow the drafter to develop solutions that would achieve the project's objective in compliance with data protection provisions.
The purpose of the draft Act is to ensure professionalism and expertise in the management of public assets. The draft Act includes, among others the extension of the qualification requirements for recruitment to supervisory boards of the companies with State Treasury participation. It also assumes full disclosure of these persons’ remuneration, as well as making their personal identification number (PESEL number) public. The data would be published in a publicly accessible register and updated monthly. The data of candidates for management and supervisory boards would be published in the Bulletin of Public Information.
As noted by Mirosław Wróblewski, the President of the Personal Data Protection Office, such a change in the law would involve the processing of large amounts of data of natural persons, including PESEL numbers, broadly understood remuneration and data on convictions and prohibited acts.
In the opinion of the Personal Data Protection Office, the draft Act concerns two competing values: transparency in public life and the right to privacy. The legislator must therefore balance them well, taking into account that the Constitution of the Republic of Poland (Article 51(2)) stipulates that public authorities may not obtain, collect and share information about citizens other than what is necessary in a democratic state under the rule of law.
In the opinion of the President of the Personal Data Protection Office, at this stage of legislative work, two issues in particular require re-analysis by the drafter:
- The need to conduct a "privacy test" - to assess the impact of the draft Act on the protection of personal data (as required by Article 35 of the GDPR). Conducting this test is important to justify the thesis that a public database containing so much information about citizens is necessary to achieve the purpose of the law. And that this purpose justifies the risks to which those included in the registry would be exposed. And that less invasive methods would not be effective.
- The register should not disclose PESEL numbers, and data on remuneration should be (in accordance with the case law standards of the Court of Justice of the EU) made available after meeting certain conditions (e.g. at the request of an authority or persons declaring the need to obtain such information).
Moreover, the President of the Personal Data Protection Office noted that the analysis regarding the right to privacy should apply to all draft acts dealing with similar issues - the parliamentary draft Act amending the Act on restrictions on conduct of business activities by persons performing public functions and certain other Acts [parliamentary print no. 155 ] or the parliamentary draft Act amending the Act on restrictions on conduct of business activities by persons performing public functions and certain other Acts [parliamentary print no. 156 ] - to both of which the Personal Data Protection Office has presented its position. Consideration should be given to the adoption of a single comprehensive act in the legal order regulating the transparency of persons performing public functions.
The opinion of the President of the Personal Data Protection Office regarding the parliamentary draft Act on amending certain Acts in order to improve corporate governance in the companies with State Treasury participations is available in the file attached below.