Can an individual withdraw its consent for processing personal data? If yes, how it can be done? Are data controllers ready for such option? All these questions became very topical upon adoption of amendment to the Polish data protection regulations.
The main Polish regulations regarding processing of personal data are contained in the Personal Data Protection Act of 1997 (hereinafter: PDPA) that implements Directive 95/46 into Polish law. Generally, personal data is processed on the basis of consent given to data controllers by the person whose data are processed. Hence, rules regarding consent are crucial for all those who are involved in data processing. The latest amendment to the PDPA provides a small but significant change to the existing regulations. As such it is certainly worthy of blog subscribers’ attention.
Until now, one of the main controversies related to the issue of consent under PDPA was connected with the possibility of withdrawing consent for processing data. The regulations have not expressly provided any mechanism for an individual to withdraw consent. Although the possibility of withdrawing consent was widely approved, divergent opinions have also been presented.
One of the aims of the amendment to the PSDA that was adopted by Parliament on 24 September 2010 was clarifying the issue related to withdrawal of consent. The amendment to article 7 point 5 of PSDA expressly provides that consent for processing personal data can be cancelled by an individual at any time. According to the justification to the draft amendment, due to the ambiguous interpretation of “consent” in judicial doctrine, the proposed amendment clearly provides that it is permissible to withdraw (cancel) consent.
Most of the market participants that expressed their views and remarks to the draft amendment stated that introducing clear and unambiguous regulations permitting withdrawal (cancellation) of consent to process personal data are necessary and desired. However, some commentators raised the lack of detailed rules regarding cancellation of the consent in the draft amendment.
The impact of the amendment may be significant. Existing data processing infrastructure must be adopted in order to allow for effective cessation of data processing upon receipt of an individual’s cancellation. This would probably require IT adjustments and adoption of new internal procedures.
Since the amendment is so brief, it seems to only partially solve old controversies. The amendment is clear in a way that it gives individuals the right to withdraw consent at any time. However, some important questions still remain unanswered. First and foremost, no form of cancellation is determined. Therefore, it is not clear what kind of statement would suffice for cancellation. Does the answer depend on the form of original consent? It is not determined when the cancellation is treated as being sufficiently delivered to the addressee? Who should be the addressee of the cancellation? Who is bound by the cancellation? What are the obligations of the data controller upon receipt of the cancellation? Can the consent be cancelled only partially (e.g. in respect of specific territory)?
Amended Polish regulations do not provide clear answers to these questions. Needless to say such a situation creates a significant risk for data controllers. Processing data despite cancellation of consent means that such data are processed illegally. All the above questions must be answered in the near future. Hopefully, Polish data protection authorities will provide some interpretations in this respect.
All experiences from other jurisdictions are welcomed.