photo
04.10.2024

The Act on the Protection of Minors (known as Kamilek's Law) needs corrections

The President of Personal Data Protection Office has asked Adam Bodnar, Minister of Justice, to initiate amendments to the provisions of the Act on the Protection of Minors in terms of bringing them into line with data protection principles.

The new law - amending the previous provisions of the Act on the Protection of Minors - increased the protection of children's rights by better collecting signals from children and checking the competence of those working with children, which was much needed. However, clarification of the law seems necessary, as the collection and processing of data - including sensitive data and special categories of data - that the law prescribes for educators and those in contact with children may constitute a serious interference with the fundamental rights to respect for private life and to protection of personal data, guaranteed by Articles 7 and 8 of the EU Charter of Fundamental Rights.

The President of the Personal Data Protection Office provides a precise analysis (attached) of how to apply the principles of GDPR to improve and supplement the Act. He asks the Minister of Justice to respond to this submission in writing within 30 days of receipt.

GDPR Standards

According to Article 5 of the GDPR, the processing of personal data should be carried out in accordance with the basic principles of personal data processing, i.e:

  • lawfulness, fairness and transparency of data processing;
  • purpose limitation
  • data adequacy (minimisation)
  • data accuracy; limitation of the data processing
  • data integrity and confidentiality

The right to privacy and the right to protection of personal data are obviously not absolute. However, limitations to rights and freedoms may only be imposed if they are necessary and genuinely meet objectives of public interest or the need to protect the rights and freedoms of others.

In order for personal data to be adequately protected - according to the principle of confidentiality and integrity - the legislator should carry out so-called privacy test - a data protection impact assessment (Article 35(1) and (10) GDPR). This impact assessment and balancing of interest is crucial in this case. At stake are provisions that serve the very important purpose of keeping children safe. At the same time, ensuring that this objective is fulfilled involves a profound intrusion into the sphere of rights and freedoms of individuals.

Problems with personal data processing under the Act on the Protection of Minors

Principle of lawfulness, fairness and transparency

The President of Personal Data Protection Office points out that the Act does not provide an adequate legal basis for the standards of protection of minors (referred to in Article 22c(1) and (3) of the Act). Indeed, it refers to guidelines, which, however, do not have the character of legal standards. Therefore, they cannot shape the key elements of data processing.

The provisions relating to the sphere of rights of data subjects, as well as the obligations of controllers, are undefined (Article 21(1) in conjunction with paragraphs 2 - 8 of the Act, Article 22c(1) and (3) of the Act).

The subject and object scope of the Act is imprecise, there is no regulation of the principles of data processing, including retention period for personal data and guaranteeing data security. This entails the risk of excessive personal data processing and therefore is not in compliance with the principles of purpose limitation and data minimisation. In relation to the standards of child protection, only a model for verifying the child's identity and verifying the relationship with the parent/guardian has been specified at their level, rather than at the statutory level.

Information obligation

According to the current wording, the information obligation is to be implemented under the same conditions for the persons affected by the negative action as for the perpetrator of the negative event, which is the subject of numerous doubts raised by controllers obliged to implement it. It may be necessary in such a situation to analyse Article 23 of Regulation 2016/679, the application of which will allow to adopt a proportionate solution for the implementation of data subjects' rights.

The principle of purpose limitation and proportionality

The President of the Personal Data Protection Office has raised concerns about the provision that requires the employee's criminal record data (Article 21(3) of the Act). This is because the legislator has defined broadly the scope of offences that involve restriction of professional activities of individuals. This may lead to a situation where, in the absence of any risk to minors, the circumstance of a conviction will obligatorily exclude such persons from the possibility to work or cooperate. An in-depth and precise analysis is therefore required of the catalogue of offences in relation to which it is necessary to obtain information from the National Criminal Register, which has an impact on the assessment of whether a particular person is allowed to take custody of a child.

Verification of the employee's criminal record and sex offence register

Significant interpretative doubts relate to the provision on the obligation of employers and other organisers to verify the criminal record of persons undertaking work or activities related to work with children (Article 21(1) of the Act in conjunction with paragraphs 2-8 of the Protection of Minors Act). Prior to employment, the prospective employee is to provide information from the National Criminal Register or submit a declaration of no criminal record (Article 21(3-7) of the Act), and the employer is additionally to verify the job applicant's data in the sex offender register (Article 21(2) of the Act ). For controllers, this implies the processing of personal data with a special processing regime (Article 10 GDPR).

The circle of entities obliged to verify information on criminal records is questionable. The way in which the provision of Article 21(1) of the Act is worded - as to ‘the employer or other organiser of the activity’ being subject to the obligations set out in the Act - indicates an open catalogue of persons. The hyphen ‘or’ makes it difficult to identify the persons who have obligations in this respect. In turn, the doubts raised to the supervisory authority concern who should verify this. Even if the intention of the legislator was to provide broad protection, it cannot be assumed at the same time that the acquisition of data for the verification of employees/activity contractors for the indicated purpose can be carried out by an unlimited number of entities.

At the same time, the processing of personal data under Article 21 of the Act should not take place on the occasion of every work or activity involving children, but only that which arises from the employee's duties. The current wording of the provision raises questions of interpretation at this point.

Another problem is that the Act does not specify whether and how the verification of employees during the course of their employment is to take place, as well as those who were already employed before the entry into force of the provisions of the law expanding the circle of activities concerning work with children and subject to verification. Instead, defining precise legal norms on the specific moment when an employer verifies an employee's non-criminal record is of utmost importance, as it is related to the frequency of obtaining data from public records.

Data collected to stock in the guidelines on minors standards

In the case of individuals for whom the employer does not know whether to check their criminal record (due to the tasks they perform in the organisation), another problem arises.

The guidelines referred to by the Act impermissibly assume from the perspective of the GDPR that ‘in situations of any doubt, the employer may always ask employees who do not work directly with children, but may have indirect contact with them, to sign voluntary declarations of non-criminal conviction and include them in their personnel file’ (p. 12 of the guidelines for accommodation establishments).

Requesting information more broadly, ‘for the future’, results in unwarranted and excessive processing of individuals' personal data.

The guidelines also provide for a range of documents to identify the child and his/her relationship with the adult with whom he/she arrives at the facility, e.g. an Internet Patient Account. In addition, the guidelines provide for the possibility of obtaining a wide range of information in the absence of, or refusal to produce, an identity document, thus creating the possibility to also seek other means of authenticating the child and their carer.

The methods of data subject authentication should therefore be clearly and specifically defined in the provisions of the law, and they should also adhere to the principle of proportionality.

The principle of storage limitation

The provisions of the Act do not indicate the retention period of data processed by controllers for the purposes under the Protection of Minors Act. The Act does not specify what happens if, for the purposes of recruitment, an employer collects the required data, but cooperation with the person does not take place. In addition, the provision providing for records of interventions in situations of suspected abuse of a minor (Article 22c(1)(8)) does not provide for how long such records are to be retained.

Principle of data integrity and confidentiality

The conditions of personal data processing, such as the manner and form of documenting, the principles and duration of storing information (disclosed or reported incidents or events), or, finally, the circle of entities processing personal data, do not derive from the Act. In particular, the current regulations do not specify who is to have access and under what conditions to the acquired data. The legislator has also not indicated under what conditions the implementation of the minor standards is to take place, given the diversity and specificity of the sectors in which they will apply (e.g. hospitality activities, cultural activities, educational activities, medical activities, etc.). This is of particular importance in view of the challenges posed by the development of new technologies and the guarantees that the legislator should provide for the processing of special categories of data as defined in Article 9(3) and (4) of Regulation 2016/679.

The principles of personal data processing, in relation to the Act on the Protection of Minors, were already reminded by the Personal Data Protection Office earlier in the communication „How to apply the ‘Act on the Protection of Minors’” in compliance with personal data protection standards.

Attached files

Pobierz plik DOL.413.9.2024