Ikonka home dla okruszków News and events
photo
02.10.2025

The National Police Information System requires changes

Mirosław Wróblewski, President of the Personal Data Protection Office, informed Marcin Kierwiński, Minister of Interior and Administration, about the need to introduce changes to the existing legal regulations governing the functioning of the National Police Information System.

The need for amendment is related to the judgment of the Court of Justice of the European Union of January 30, 2024, in case C-118/22 Direktor na Glavna direktsia “Natsionalna politsia” pri Ministerstvo na vatreshnite raboti – Sofia. The Court examined the question raised by the Supreme Administrative Court of Bulgaria (bg. Varhoven administrativen sad) as to whether the provisions of Directive 2016/680 on the processing of personal data for the purposes of crime prevention permit the application of national provisions (in this case, Bulgarian) allowing for virtually unlimited processing of personal data by the competent state authorities, even after the data subject has served their sentence and the conviction has been expunged, and has requested the removal of their data from the police register.

The Court ruled that the provisions of the Directive and the Charter of Fundamental Rights of the European Union stand in the way of national law provisions which allow police authorities to store personal data:

  • without any obligation to periodically review whether such storage is still necessary,
  • without granting the data subject the right to have the data erased once they are no longer necessary for the purposes for which they were processed,
  • or, where applicable, the right to have their processing restricted.

CJEU judgment and national law

Under Polish law, the processing of data relating to convictions is governed by the following provisions:

  • the Act of May 24, 2000, on the National Criminal Register,
  • the Act of July 6, 2001, on the processing of criminal information,
  • the Act of April 6, 1990, on the Police, regulating the functioning of the National Police Information System.

According to the President of the Personal Data Protection Office, the CJEU ruling necessitates changes to the provisions concerning National Police Information System.

In their current wording, they do not specify clear and precise rules for data processing in the indicated register, including rules concerning the obligation of periodic review or the procedure for exercising the right to delete such data.

The obligation to periodically review personal data by the Chief Commander of the Police is to be introduced only by the amendment to Article 21nb(1) of the Police Act, according to which personal data collected in the National Police Information System shall be stored by the Police for the period necessary to perform its statutory tasks. The police authorities verify these data after the case in which they were entered into the database has been closed, and delete unnecessary data at least every 10 years from the date of obtaining or collecting the information.

According to the President of the Personal Data Protection Office, although the amendment to this provision should be considered an improvement in personal data protection standards, it still cannot be considered fully satisfactory. This is because it does not apply to all data processed by the police (only data relating to the statutory tasks referred to in Article 1(1) and (2)(1)-(4) of the Police Act). Furthermore, it continues to regulate the period of data processing imprecisely as “necessary for the performance of the statutory tasks of the police.”

Incorrect implementation of Directive 2016/680

The grounds for removing data from the police database are also not included in the Act of December 14, 2018, on the protection of personal data processed in connection with preventing and combating crime. Pursuant to Article 24(1)(2) of this Act, a request (application) for the deletion of data will be effective if the data have been collected or are processed in violation of the provisions of this Act. Importantly, however, this provision does not determine how to understand the premise for data deletion defined as “violation of the provisions of the Act,” which results from the incorrect implementation of Article 16(2) of Directive 2016/680, which clearly determines the degree of non-compliance in question.

The incorrect implementation of Article 16(2) of Directive 2016/680 means that data subjects have been deprived of any legal instrument (guaranteed by the provisions of the EU directive) to effectively request the police authorities to delete data collected in the National Police Information System. Ultimately, it is up to the Chief Commander of the Police to assess the need for further processing of data in the National Police Information System, and he is not obliged to give detailed reasons for refusing to delete the data.

The need for changes in the applicable legal provisions governing National Police Information System

Based on the CJEU judgment in question, as well as the provisions of Directive 2016/680, changes should therefore be made to the existing legal provisions governing the functioning of the National Police Information System by:

  • clearly and precisely defining the period for which such data may be stored,
  • specifying the rules for their periodic review,
  • and establishing the procedure for requesting its deletion or restriction of processing in relation to persons whose data is processed in the register.

DPNT.413.11.2025

The rulings and decisions of the President of the Personal Data Protection Office can be found at: https://orzeczenia.uodo.gov.pl/

 

phone
Infoline (in Polish) UODO 606-950-000 Operates on weekdays from: 10:00-14:00
© UODO 2018 - 2025
Copyright.
Urząd Ochrony Danych Osobowych
map pin ul. Stanisława Moniuszki 1A, 00-014 Warszawa
envelope kancelaria@uodo.gov.pl
clock Working hours of the office: 8 a.m. – 4 p.m.
© UODO 2018 - 2025
Copyright.