The retention of telecommunications data must be brought into line with EU standards
Mirosław Wróblewski, President of the Personal Data Protection Office, presented a significant opinion regarding the data retention obligations of mobile network operators. The supervisory authority highlighted the issue of the incompatibility of national regulations on the retention of telecommunications data with the Polish Constitution and European Union law. The opinion, presented in case no. I C 1281/25, is intended to assist the court in interpreting and applying data protection regulations in the context of the obligation to retain telecommunications data.
The case concerns the retention of data stored by mobile network operators. Operators collect traffic and location data, such as phone numbers, SIM card and device identifiers, IP addresses, dates, times of calls, call durations, and other information. In the opinion of the President of the Personal Data Protection Office, this constitutes personal data because, when combined with other data, it allows for the identification of a specific individual. Traffic and location data, when analysed over a longer period, allow for the reconstruction of a detailed picture of a user’s activity—including their daily behaviors, social relationships, and lifestyle.
The President of the Personal Data Protection Office believes that national regulations need to be brought into line with European standards, as the obligation to retain users’ traffic and location data, as currently regulated, is contrary to European Union law and the Charter of Fundamental Rights of the European Union. At the same time, the national court, in adjudicating the case, should assess the compatibility of national regulations with EU law and take into account the interpretation of the CJEU.
Current regulations require operators to retain such data for a period of 12 months—regardless of whether users are suspected of committing a crime. The data may be made available to authorised authorities, and after this period expires, it should be destroyed. The data retention model is preventive in nature—it applies to all citizens, which, in the opinion of the President of the Personal Data Protection Office, raises serious concerns in light of European standards.
The President of the Personal Data Protection Office, citing the case law of the Court of Justice of the European Union, points out that general and indiscriminate data retention is contrary to EU law. The Court of Justice of the European Union has repeatedly emphasised that data collection by telecommunications operators may be permissible only to the extent strictly necessary and proportionate—e.g., to combat serious crime or protect national security. In turn, the European Court of Human Rights, in its judgment of June 28, 2024, found that Polish regulations concerning operational surveillance and access to communications data do not provide sufficient safeguards for the protection of the right to privacy.
Referring to the Constitution of the Republic of Poland, the President of the Personal Data Protection Office noted that data retention infringes upon the right to privacy (Article 47), the freedom and confidentiality of communication (Article 49), and the individual’s informational autonomy (Article 51). Restrictions on these rights may be imposed only by statute and only when they are necessary in a democratic state governed by the rule of law. The case law of the Constitutional Tribunal further emphasises the need to ensure mechanisms for controlling access by authorities to telecommunications data and the obligation to immediately destroy information irrelevant to ongoing proceedings.
The opinion presented by the President of the Personal Data Protection Office does not constitute a ruling on an individual case or a binding interpretation of the law. The supervisory authority noted that the matter concerns the limits of state interference with the right to privacy and the informational autonomy of its citizens.
The immediate impetus for taking a position on this matter was the referral of a preliminary ruling by the District Court in Gdańsk to the Court of Justice of the European Union in Case C-741/25 Ranerski. The case concerns the interpretation of Article 15(1) of Directive 2002/58/EC in conjunction with Articles 7, 8, 11, and 52(1) of the Charter of Fundamental Rights of the European Union. The very fact that a preliminary ruling has been requested demonstrates—in the opinion of the President of the Office—the significance of the issue and the doubts regarding the compliance of Polish regulations with EU standards.
The position of the President of the Personal Data Protection Office may serve as an important point of reference in further discussions regarding the data retention model in Poland. The implications of the CJEU’s response to the preliminary ruling request from the District Court in Gdańsk, however, may have significance not only in legal terms but also in terms of the political system—as they will address the limits of state interference in citizens’ lives and the relationship between public safety and the right to privacy.
Every data processing operation must be based on one of the legal grounds specified in Article 6(1) of the GDPR. The list of grounds is exhaustive, and compliance with the law requires that at least one of them be met. In the case of processing based on the controller’s legal obligation (Article 6(1)(c)) or on the performance of a task carried out in the public interest (Article 6(1)(e)), the legal basis must be Union or Member State law.
According to the President of the Office, the data processing principles set forth in Article 5 of the GDPR are of particular importance: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality. The supervisory authority noted that any national regulation providing for mass data processing must be assessed in light of these principles.
DS.552.1.2026