How can data subjects exercise their rights in the Republic of Poland?
Rights of data subjects rights are exercised in the Republic of Poland in accordance with provisions of the Regulation 2016/679 hereinafter “GDPR”[1]
The right to access data
Pursuant to Article 15 of the GDPR he data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the personal data are not collected from the data subject, any available information as to their source;
h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Refusal to provide information about the personal data being processed
Pursuant to Article 5 of the Act of 10 May 2018 on the Protection of Personal Data (Journal Laws 2019 item 1781) the controller performing a public task shall not convey information referred to in Article 15 para. 1-3 of the Regulation 2016/679 if this serves the performance of a public task and non-fulfilment of the obligations referred to in Article 15 para. 1-3 of the Regulation 2016/679 is necessary to fulfil the purposes referred to in Article 23 para. 1 of that Regulation, and fulfilment of those obligations:
1) shall make it impossible or shall significantly hinder the performance of a public task, and the interest or fundamental rights or freedoms of the data subject are not superior with respect to the interest ensuing from the performance of that public task or
2) shall infringe the protection of classified information.
The right to correct or delete data
Pursuant to Article 16 of the GPDR the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
In accordance with Article 17 of the GPDR the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
However, this provision shall not apply to the extent that processing is necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise or defence of legal claims.
VIS data controller in Poland
In Poland, the right of access shall be exercised directly. It means that data subjects have to send their requests to the data controller. Pursuant to Article 10 of the Act of 24 August 2007 on the participation of the Republic of Poland in the Schengen Information System and the Visa Information System, in Poland the Commander-in-Chief of Police is the controller of the data processed in the Visa Information System.
Requests for access, correction or deletion of data should be addressed:
a) by post:
Centralny Organ Techniczny KSI
Komenda Główna Policji
ul. Puławska 148/150
02-624 Warszawa
Polska
b) via an electronic inbox available on the website
Please kindly note all requests for exercising rights of access, correction or deletion sent directly to the UODO will be forwarded to the Commander-in-Chief of the Police which will result in the extension of time required to reply them.
In order to exercise your rights you can use forms attached below.
Detailed information on formal requirements regarding the application and contact details is available on the website of the Police.
Complaint to UODO
In order to ensure an appropriate level of legal protection for persons whose data is stored in the Visa Information System, the Office of Personal Data Protection controls whether the use of data does not violate the rights of the persons concerned. These controls are carried out in accordance with the provisions on the protection of personal data. Each person whose data is processed in the Schengen Information System has the right to lodge a complaint to the President of the Office of Personal Data Protection for the implementation of personal data protection regulations.
Detailed information on the possibility to lodge a complaint can be found here.
[1] Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)