Not granting personal data subject’s request is an administrative decision
The Supreme Administrative Court (SAC) dealt with the admissibility of an action for protection against unlawful infringement by an administrative body in a case where a personal data subject was not satisfied with how their request under the personal data protection regulation was dealt with. In the case in question, the infringement was allegedly committed by the Police of the Czech Republic, as it denied a request to delete personal data from the national Record of Undesirable Persons and from the Schengen Information System (SIS II).
In the case in question, the complainant was apprehended upon his arrival at an international airport in Paris and denied entry into France on the grounds that he had been recorded by the Czech police in the national Record of Undesirable Persons and in the SIS II system. The complainant then approached the Czech police with a request for information as to what personal data they had processed about him, and how long they intended to keep such data if it cannot be deleted immediately. The police responded by a notice stating what personal data of the complainant it had processed, and after what time the data would be deleted; the request to delete the data was not granted.
The complainant then sought the deletion of his personal data or its exclusion from the Record of Undesirable Persons and SIS II by means of an action for protection against unlawful infringement by an administrative body filed with the Municipal Court of Justice in Prague. The Municipal Court of Justice in Prague found the complainants’ inclusion in the Record of Undesirable Persons in compliance with legal regulations, and dismissed the action as groundless. The complainant then filed a cassation complaint with the SAC against this decision.
To decide on the merits of the case, it was crucial to determine the nature of the notice given by the Czech police stating that the request for deletion of personal data was not to be granted. In line with its previous case law, the SAC held that although the notice had not been issued in an administrative procedings, it was still the result of a certain formalised process (under Section 83 of the Act on the Police of the Czech Republic). The fact that the notice by the Czech police is not a result of administrative procedings governed by the Administrative Procedure Code or another procedural regulation does not mean that it cannot be considered an administrative decision. The court mainly based its conclusions on the previous decision of the extended panel of judges of the SAC summarising the characteristic features based on which certain act can be viewed as an act issued in a formalised procedure (having a concrete addressee, written form and delivery, required essential content – namely a rationale and advice/caution), as well as on the structure of the notice, which was similar to a decision statement.
The SAC thus held that the notice by the Czech police was not just a declaratory letter, but an act capable of infringing on the complainant’s rights. According to SAC, the Czech police’s notice on not granting the request to delete personal data was, in effect, a negative administrative decision.
The complainant sought his rights by means of an action for the protection against unlawful infringement by an administrative body; such action is only admissible where no other remedy is available – in the case in question, the complainant should have first sought remedy by means of an action against the administrative body’s decision.
For the sake of completeness, please note that the present regulation of notices given by the Czech police is to be transferred to the new Personal Data Processing Act, which is currently going through the legislative process. It is impossible to predict what the content of the act will be when finally passed, yet, the present wording of the bill as proposed by the government does not indicate any conceptual changes in this respect.