Criminal liability for document photocopy or scan?

The new Act on Public Documents stipulates criminal liability (up to 2 years of imprisonment) for production, offering, selling and storage with intent to sell of replicas of public documents (such as identity cards, driving licences, enforcement orders). Does it apply to photocopies of identity cards?

Can identity cards be photocopied?

It is an everyday occurrence when somebody asks you for a photocopy or scan of your identity card. Telecommunications companies, payment processors, banks, insurance companies or even sports equipment rental shops photocopy identity cards. Is it always justified?

On 12 July 2019, the new Act on Public Documents came into force. It stipulates the rules of the security system functioning, which means their design, creation, storage and authenticity verification, and also change of security features of those documents, raising awareness and international cooperation in relation to public document security.

It also contains one criminal provision that should be noted – Article 58 that reads as follows: “Whosoever produces, offers, sells or stores with intent to sell a public document replica shall be subject to a fine, penalty of limitation of liberty or imprisonment for up to 2 years”. In this context, some commented that this provision allows imposing penalties for photocopying identity cards. Other voices state that penalties only apply to the so called “collectible identity cards”. We will explain what the truth is and why.

Public document – what is it?

The Act provides very broad definition of public documents. It will include every “document that is used to identify persons, things or confirm legal status or rights of persons that use such document secured against falsification”. Such document, to put it simply, is made in accordance with a template stipulated by law or on the basis of a form/model approved by a relevant authorised body.

For example, public documents are not just identity cards or passports, which are identity documents, but also driving licences.

Apart from the broad general definition the Act also defines a list of other documents deemed to be public documents. Those are vital statistics certificates, enforcement orders, rulings issued by courts or legal secretaries, some writs of execution, and selected documents drawn up by notaries.

What is more, “copies, transcripts, duplicates and replacements of public documents are public documents”.

Public document replica – what is it?

According to the Act on Public Documents, a replica is the following copy/imitation of a public document:
– its size is from 75% to 120% of the original;
– it has the authenticity features of a public document or public document form
“.

So, is photocopying of identity cards allowed? Obviously, leaving out other limitations that may arise from personal data protection laws (GDPR) in this context, nobody will go to jail for photocopying an identity card.

When we talk about a replica of a piece of art or a weapon, we think about objects that are confusingly similar to the original, which includes materials they are made of, shape, size, characteristics or even safeguards. A document replica is similar – it would have to have “authenticity features” of the original.

Please note, however, that the list of documents that will be deemed public documents includes also documents that do not contain obvious and complex security features like an identity card (such as holograms, raised elements, etc.). In such cases a photocopy or computer printout may be confusingly similar to the original, which means that, depending on the circumstances, they may be deemed to be replicas.

Such interpretation has also been confirmed by the Ministry of Internal Affairs and Administration that stated that the main objective of the new regulation is to develop security system for public documents. This means that it is to protect public document holders against the use of any imitations, falsified documents, closely resembling the true, original documents, as such fakes may be used to commit crimes, like identity theft or obtaining a loan with the so called “collectible documents”.

When can I be sure that I can make a photocopy?

It is important to remember that the Act expressly allows making photocopies or computer printouts of identity cards. This applies to:

  1. Official, work or professional purposes determined on the basis of separate laws (for example, for the needs of identification by banks, insurance or telecommunications companies for the purposes stipulated in the Anti-Money Laundering and Terrorism Financing Act);
  2. The needs of the person to whom a public document had been issued.

Should you photocopy identity cards?

Even if the above arguments lead to the conclusion that identity card photocopying will not result in criminal liability, you should remember that it may still constitute a breach of personal data protections rules. Not all information contained in an identity card is necessary to everyone who asks for a photocopy or scan of that document. Before you decide to ask for a photocopy, think whether it is justified in the given circumstances.

Author:
Joanna Szumiło – attorney at law

Employee alcohol testing and GDPR

Employers have no right to alcohol test their employees on their own, and that includes random testing – this is the position of the President of the Personal Data Protection Office (UODO) in response to the amendment of the Labour Code that became effective on 4 May 2019 (full text of the position is available HERE).

Why the doubts?

The subject of permissibility of alcohol testing of employees is not new. The discussion whether protection of privacy and personal rights of employees should be more important than the issues such as safety has been going on for years. Those doubts came up again after the Labour Code had new Article 221badded. In accordance with that Article, the basis for processing of special data category, including also health information, may be consent of the employee, but only when provision of that data is initiated by the employee – which means that it cannot be the initiative of the employer, which was generally the case before in alcohol testing carried out by employers. Is the knowledge whether an employee is sober a health information? In the opinion of the President of the UODO – it is.

How can workers be tested for alcohol in the context of the UODO President’s opinion?

The President of the UODO found that the aforementioned amendment had no material impact on the rights and obligations of employers specified in Article 17 of the Act on Upbringing in Sobriety and Counteracting Alcoholism, as in the opinion of the authority in this scope that Act is exhaustive and constant – employee alcohol testing should be carried out on the condition of meeting the following two requirements jointly:

  1. Employer has a justified suspicion that the employee arrived at work after consuming alcohol or consumed alcohol at work,
  2. Employee alcohol test is carried out by authorised body appointed to protect public order (e.g. police), and blood sampling is done by a person with appropriate professional qualifications.

Regardless of the stipulations and interpretation of data protection laws, the existing form of the aforementioned provision, in the opinion of the UODO, excludes the permissibility of random preventative alcohol testing of workers by employers. In the opinion of the President of the UODO “employee alcohol testing cannot be treated as:

  • a form of monitoring of work performed by the employees, referred to in Article 22 (3) § 4 of the Labour Code,
  • an activity necessary to ensure safe working conditions for all employees,
  • justified by legitimate interest of the employer.”

Could employees be tested with their consent?

In the context of the UODO President’s opinion presented above, but also prior case law, you should be very careful in your approach to testing employees with their consent and at their initiative (when, for example, they want to “prove” that they are sober), in particular when the test result would constitute basis for further steps taken towards the employee. Even in recent ruling of the Supreme Court of 4 December 2018, case file number: I PK 194/17, the Supreme Court stressed that “in every situation the entity authorised to carry out alcohol testing is a body appointed to protect public order. Performance of alcohol testing by the employer or its designee may even be deemed to constitute circumventing of Article 17. 3 of the Act on Upbringing in Sobriety, even when employee gives their consent”.

Considering the above, the position of the UODO President must be applied in the development of the employee alcohol testing procedures until possible future law changes.

Author:
Natalia Wojciechowska – legal adviser

Updated MoF methodology – due diligence in VAT transactions

Recently (April 2019), the Ministry of Finance published updated “Evaluation methodology for due diligence compliance by purchasers of goods in domestic transactions”. The document explains what MoF considers in their evaluation of “due diligence”, when you unwittingly participate in a transaction aimed at VAT fraud or abuse, to exclude or limit your liability.

The document in full is available HERE

What is the methodology

The methodology determines guidelines for taxable persons on how to safely commence and continue business collaboration with counterparties to avoid problems with deducting input tax. It indicates two types of criteria, formal and transactional, that the taxpayer should consider in counterparty verification process.

Formal criteria – status of the counterparty

“Formal” steps that should be included in the process preceding dealings with new counterparties (or in appropriate extent repeated periodically in case of regular business) include:

  • Verification whether the entity is registered in relevant commercial register, like KRS or CEIDG, and also as a taxable person for VAT purposes (HERE);
  • Verification whether the counterparty is recorded in the list kept by The Head of the National Tax Authority of entities deleted from the register as taxable persons, or entities that  not been registered, or entities that had been re-registered (list available HERE);
  • Verification of any licence or permit required, etc. (in the context of the goods or services sold by the counterparty);
  • Verification of authorisations of the counterparty’s representatives (for example, on the basis of data in KRS or CEIDG registers – links above).

It is worth to make a memo and printouts / print screens / obtain relevant validation to confirm the actions undertaken, in particular in case of material or repeated transactions.

Transactional criteria – types of transactions and circumstances that should raise doubts of the taxpayer

Special caution should be exercised in the following circumstances:

  • Transaction was conducted without economic risk;
  • Payment is made in cash or has been divided in such way that individual parts of the price are below PLN 15,000;
  • Payment is made by bank transfer to two separate bank accounts, account of a third party, or an account abroad;
  • Price of the goods is considerably different than the market price without economic justification;
  • Goods offered are from an industry different than the usual industry of the supplier and had not been purchased before by the taxpayer if the change of the business profile is not economically justified;
  • Contact with the supplier or their representative was not appropriate considering the circumstances of a given transaction;
  • The supplier has registered office or a place of business at the address where there is no sign of actual business activity;
  • Payment terms are shorter than the terms offered by other suppliers from the same industry without economic justification;
  • Terms of the transaction are considerably different than those applied in the given industry to guarantee safe trading;
  • The supplier delivers goods that are non-compliant with the quality requirements of applicable laws;
  • The transaction is not documented by a contract, purchase order or other confirmation of its terms;
  • Share capital of the counterparty is disproportionally low considering the transaction’s circumstances;
  • The counterparty has no organisational and technical resources appropriate for the type and scale of the business;
  • The counterparty has no website (or is not present in social media) with information appropriate to the scale of its operations, despite the fact that it is common in the industry.

You know the criteria – what’s next?

The Ministry of Finance suggests that all criteria are just non-binding guidelines and compliance with them is not a determinant of positive outcome of potential tax audit, but it significantly increases the probability of finding that the taxpayer exercised “due diligence”.  In the case of material or “doubtful” transactions you should consider the use of the split payment mechanism.

What is important, every taxpayer may comply with due diligence requirements in a different way than by following the guidelines provided in the methodology. However, it is important to consider the above criteria when you develop internal procedures of counterparty selection or approval. In the age of broadly applicable compliance, it will be an “added value”.

Author:
Natalia Wojciechowska – legal adviser

Grzegorz Leśniewski – attorney at law

Brexit and GDPR

Brexit will bring numerous political and social effects, but will also impact legal matters. It will also directly affect personal data controllers. If you as a data controller use services of companies that store/ process personal data in the United Kingdom, you should check whether your data processing agreement is ready for Brexit.

Despite Brexit postponement, it is still the most likely scenario – especially considering the results of the European Parliament election. Whether the deal determining the terms of the United Kingdom’s departure from the EU will be made or not is still a big unknown.

In the case of no deal Brexit, the UK will be given the so called “third country” status upon leaving the EU. This means that personal data transfer to the UK will require the application of:

  • Standard or ad hoc data protection clauses in the existing data processing agreements;
  • Binding corporate rules should data transfer occur within a group of associated entities;
  • Codes of conduct (with certification mechanisms);
  • Other special instruments available to public authorities.

Obviously in most cases the easiest solution seems to be amendment of the existing processing agreements with UK entities (as processors) with appropriate additional data protection clauses.

In terms of data transfer in the other direction, from the UK to EEA, based on the communication of the European Data Protection Board, according to the UK government, free data flow will be still possible

Author:
Grzegorz Leśniewski – attorney at law

What GDPR compliance means for my business?

[vc_row][vc_column offset=”vc_col-xs-12″][vc_column_text]GDPR is a legal act which regulates personal data protection and basically grants people a set of rights. This allows them to limit, cease or modify processing of their personal data by data controllers and data processors. What does it mean though and how to be GDPR compliant?

Personal data

GDPR states that any and all data which allows to identify, either directly or non-directly, a natural person, is personal data. Some of such data might be name and surname, e-mail address, a phone number, IP address. Nowadays, a lot is considered as personal data – even so called “metadata” or some of the “cookies”. Thus, you need to carefully analyze what information that you collect falls under the definition.

Do I “process” personal data?

Processing data is, pretty much, everything you can do with it: managing, storing, collecting, modifying and deleting. But are you a data controller or data processor? Data controllers decide what is the data collected and used for and with what means. They have main interest in processing data. However, sometimes they ask other entities to do some processing activities for them. For example you may use a hosting provider to store your databases or an external IT support to manage servers. Such external companies that perform certain tasks with an access to or responsibility toward personal data are data processors.

When should I worry about GDPR compliance?

Basically, GDPR is usually applicable if the processing is done for business purposes at least partly by any automated means (for example data will be stored on a computer) and:

1. data controller is based within the EU; OR

2. processing concerns data subjects who are in the EU in the context of offering them goods or services (even for free) or monitoring their behavior (if the behavior takes place in the EU.

So if you are a data controller or a data processor and GDPR is applicable based on the above, you must take necessary steps.

How to become GDPR compliant?

Seems like you need to be GDPR compliant even if you are not from the EU? The first step is to ensure that you have a legal basis to process data. Most of data controllers other than public authorities base their actions on a consent of a person whose data is being processed (data subject), performance of a contract with a data subject and/or their legitimate interest. Whenever a data processor is involved, a data processing agreement (DPA) must be signed. GDPR specifies what must be included in a DPA.

When correct legal basis for processing is identified, you need to check if you provide the data subject with information on the scope of the processing and some other details regarding yourself. This is one of the key obligations you may have because GDPR is all about transparency – the idea is to make sure that people understand who and how processes their personal data and what are their rights.

The above might have sounded a little overwhelming, however, to be honest, this is just the beginning. GDPR sets a number of rules on how much data you can collect and what can you do with it. Moreover, there are public authorities in each country of the EU that can enforce GDPR. They can not only require you to stop processing activities that are not GDPR compliant, but also to show proper documentation or to pay huge fines.

What also is the fact, GDPR can be used as an opportunity to way to improve the quality of data you are processing and security levels within your company. You can call it a pain, or an opportunity, but in any case, make sure you are compliant 😉

Author:
Grzegorz Leśniewski – attorney at law [/vc_column_text][/vc_column][/vc_row]

Contact

Any questions?see phone number+48 663 683 888
see email address

Hey, have you
signed up to our newsletter yet?

    Check how we process your personal data here