![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
After a more than three-year political and legislative struggle, the Polish parliament has finally amended the Act of August 29, 1997 on the protection of Personal Data (unified text: Journal of Laws of 2002 No. 101 item 926) (hereinafter: Data Protection Act) and other acts, including the Act on Enforcement Proceeding in Administration. The revised law will enter into force on March 7, 2011.
The amendment creates a balance between the Polish Data Protection Authority’s (DPA) increased powers and the criticism of such growing powers. Interestingly, the amendment caused so much controversy and public interest that, in 2008, a public hearing (wys?uchanie publiczne) was launched on the matter.
The most significant changes of the Data Protection Act include (i) increased DPA enforcement powers, (ii) clarification of the consent withdrawal issue and (iii) a new penal provision.
(i) New DPA Powers
As of March 7, 2011, the DPA is empowered to execute its administrative decisions in a more efficient way by imposing financial fines on those who do not comply with the DPA’s administrative decisions. The DPA is empowered with the right to ensure the execution of non-pecuniary obligations arising from its administrative decisions. This means that the DPA can impose fines to compel compliance with the administrative decisions of up to (i) 50,000 zlotys (approximately 12,500 euro) for natural persons and (ii) 200,000 zlotys (approximately 50,000 euro) for legal persons.
In addition, the DPA may address private and public entities with so-called communications (wyst?pienie) to ensure the efficient protection of personal data. These communications may be similar to communications of other public administrative bodies, such as the human rights ombudsman’s (Rzecznik Praw Obywatelskich) communications and may play a role similar to best-practice guidance. It will be interesting in practice to see how the DPA will use this power, especially when targeting private entities and their impact.
Another change is the DPA’s new power to request relevant public authorities to undertake a legislative initiative or to issue or amend legislation on matters relating to the protection of personal data.
In both cases, receiving a DPA’s communication or such DPA’s “request on legislative actions,” the recipient will be obliged to respond to the DPA within 30 days of receipt of such a communication or request.
The new law also provides for a possibility of establishing the regional units of the DPA that should be justified by the character and number of data protection cases in the relevant regions.
(ii) Revocable Consent
The amendment clarifies the issue of withdrawing consent for personal data processing. Although the possibility of withdrawing consent was already recognized in Polish legal doctrine, it was not formally recognized in the Data Protection Act. Interestingly, the amendment of the Data Protection Act does not introduce any transitional provisions and appears to be applicable to consents granted prior to the entry into force of the amended law; i.e., consent expressed before March 7, 2011.
This right to revoke consent does not impose additional information obligations on controllers towards data recipients about the data subject’s withdrawal of consent.
(iii) New Penal Provision
The amendment introduces a new penal provision for blocking or obstructing DPA inspection activities. This means that anyone involved in such actions could be fined or imprisoned for up to two years.
The new law does not provide for examples of such punishable behavior; however, the types of action falling under this notion would likely include not permitting DPA inspectors onto the premises of the controller, providing false information or failing to present requested objects, such as carriers or information systems for processing of personal data.
(iv) Conclusion
The amendment to the Data Protection Act with broadened DPA enforcement powers will impact companies conducting business in Poland. Companies will need to review their data protection practices as the new rules are focused on sharpening enforcement actions of the DPA. To avoid business risks, including financial fines as well as criminal liability, companies must properly address compliance efforts.
Whereas the amendment is a step forward to ensure a more efficient level of compliance with data protection rules, it does not solve all issues relating to data protection, specifically the developments and deployment of new information technology. In light of the European Commission Communication concerning the preparation of an overhaul of the European Data Protection Framework Directive (Communication on a comprehensive approach on personal data protection in the European Union on COM(2010) 609), the Polish DPA announced public debate on other changes to the law requiring consideration to render it more efficient to ensure effective data protection in the quickly evolving information society.
The full text of the amendment of the Data Protection Act is available (in Polish)
.
