![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
The amended provisions of the Polish Data Protection Act of 29th August 1997 entered into force on 1 January. These reforms were necessitated by the enactment of new rules governing the exchange of information between the law enforcement authorities of EU member states.
Transfers of personal data to third countries
The most significant changes to the act concern the provisions governing the transfer of personal data to third countries; i.e., outside European Economic Area. Pursuant to the newly worded provisions, transfers of personal data to a third country may only occur if the country of destination ensures an adequate level of personal data protection in its territory. The amendment removes previous references to guarantees of the protection of personal data at least the same as that in force in the territory of Poland. The criterion of an “adequate level of protection” has been clearly defined—implementing the wording of Article 25 Paragraph 2 of the directive 95/46/EC.
Accordingly, the act clearly states that the adequacy of the level of personal data protection should be evaluated taking into account all the circumstances concerning a data transfer operation, in particular the nature of the data, the purpose and duration of the proposed data processing operations, the country of origin and the country of final destination of the data as well as the legal provisions being in force in a given third country and the security measures and professional rules applicable in that country. Despite this amendment, it seems that these changes will not have a considerable impact on the practice of the Polish Data Protection Authority (DPA) when evaluating an application seeking permission to transfer personal data to a third country which does not ensure an adequate level of protection—a so-called DPA permit. This is due to the fact that the legislative provisions governing DPA permits still refer to the transfer of personal data to a third country which fails to ensure at least the same level of personal data protection as that in force in the territory of Poland.
Exception from the duty to register with the DPA
Other changes to the act include the introduction of an exception from the duty to register a data filing system with the DPA where such data is processed by relevant organs on the basis of provisions governing the exchange of information between the law enforcement authorities of EU member states.
Personal data of persons conducting economic activity
1 January also witnessed the repeal of earlier legal provisions of the Law on Economic Activity stating that personal data; i.e., personal data of entrepreneurs being physical persons, contained in the business activity register—now replaced by the central record on economic activity—fell outside the scope of protection of the act.
Therefore, currently, information identifying persons conducting economic activity, if in factual circumstances, they constitute personal data within the meaning of the act, are subject to the provisions of the act.
Consequently, controllers of personal data of persons conducting economic activity will need to ensure that such processing is done in compliance with the act. These would appear to be the most important practical changes having entered into force in 2012.
