Poland: Sanctions against Russia and Belarus following the invasion of Ukraine in the context of personal data protection of persons affected by sanctions

Council Regulation (EC) No 765/2006 of 18 May 2006 concerning restrictive measures in view of the situation in Belarus and the involvement of Belarus in the Russian aggression against Ukraine (hereinafter: Regulation 765/2006) and Council Regulation (EU) No 269/2014 of 17 March 2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine (hereinafter: Regulation 269/2014) list natural and legal persons, entities and bodies whose all funds and economic resources, whether owned, possessed or controlled, must be frozen. The EU Regulations also prohibit making available, whether directly or indirectly, any funds or economic resources to such persons.

Importantly, Article 5 of Regulation 765/2006 and Article 8 of Regulation 269/2014 stipulate that, without prejudice to the applicable rules concerning reporting, confidentiality and professional secrecy, natural and legal persons, entities and bodies are required to immediately supply to the competent authorities of the Member States any information which would facilitate compliance with the Regulations, such as accounts and frozen amounts, and to cooperate with the competent authorities in any verification of such information.

The Polish Act of 13 April 2022 on Specific Steps to Counteract Supporting Aggression against Ukraine and to Protect National Security, which became law on 16 April 2022, complements Regulations 765/2006 and 269/2014 in such a way that the Polish Minister of the Interior and Administration keeps an additional list including data of persons and entities subject to sanctions. This list is regularly updated and can be accessed on the Polish government website. The Polish statute also requires freezing and prohibits the making available of funds or economic resources to persons included in the list, and immediately providing information which would facilitate compliance with the Regulations, such as accounts and frozen amounts. Failure to comply with these requirements is punishable by an administrative fine of up to PLN 20,000,000.00.

The preamble of Regulation 269/2014 reads that for the implementation of the Regulation and in order to create maximum legal certainty within the Union, the names and other relevant data concerning natural and legal persons, entities and bodies whose funds and economic resources should be frozen are to be made public.

Any processing of personal data should comply with Regulation (EC) No 45/2001 of the European Parliament and of the Council and Directive 95/46/EC of the European Parliament and of the Council. These are acts of EU law that have already expired and have been replaced by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) – so this is most likely an obvious mistake and a failure to update the Regulation. Nevertheless, it is still clear that any information referred to above should be made available in accordance with personal data protection laws.

In other words, it is each time necessary to properly identify the basis for the processing of personal data and to ensure that personal data of an individual are not processed excessively, i.e. to a greater extent than it is necessary to achieve purposes of the processing.

Therefore, we should now refer to Article 6(1)(c) of the GDPR saying that the processing is lawful provided that it is necessary for compliance with a legal obligation of the controller. As demonstrated above, both the Regulations and the Polish statute require that every natural and legal person disclose any information that will facilitate compliance with the above laws, including personal data and information on accounts and frozen amounts of listed persons. Therefore, the provision of this kind of information to competent authorities is lawful.