Contact: Joanna Tomaszewska; SSW Spaczynski, Szczepaniak i Wspolnicy S.K.A.
The Supreme Administrative Court, in its judgement of 21st February 2014 (I OSK 2445/12), supported the position adopted by the Polish Data Protection Authority (DPA) in its decision issued towards Google Inc. The DPA had argued that only a natural person may be appointed to the function of information security administrator (i.e. the Polish equivalent to a data protection officer, DPO) in a company, and that such appointment may not include a multi-structured legal person.
On December 2011 the DPA ordered Google to remedy infringement it had committed whilst processing personal data (i.e. to remedy its previous failure to appoint an information security administrator). Google had breached the Personal Data Protection Act (the Act) by having failed to appoint an information security administrator, which came to light during a DPA investigation into the processing of personal data within Google’s Street View service.
Pursuant to the Act, a data controller shall appoint an information security administrator to supervise compliance with the rules of personal data processing, unless such duties are performed by the data controller directly. In the DPA’s opinion, only a data controller who is a natural person is capable of simultaneously being appointed as an information security administrator. As regards companies that are legal persons, they shall be required to appoint a natural person as the information security administrator.
Google disagreed with the DPA’s decision and filed an application for its reversal, arguing that the essence of ensuring compliance with the aforementioned rules does not demand that such actions may only be performed by a natural person. However, neither the Voivodship Administrative Court nor the Supreme Administrative Court accepted Google’s position.
