As of 1 January, amendments to the Polish Data Protection Act of 29 August 1997 entered into force, following the passing, on 7 November 2014, of the act on the facilitation of conditions regarding the conduct of business activity, which may impact the data compliance status of many companies.
The law generally aims to facilitate data controllers' duties and it will amend or supplement existing provisions by providing additional options to fulfill data protection requirements.
Some may find it surprising that Poland changed its data protection law now, since the new, relevant EU General Data Protection Regulation is on the way, but the amendment process has been in progress since 2012.
The amendments affect:
- the functioning of Polish information security administrators (in Polish: administrator bezpieczeństwa informacji, similar to the data protection officer (DPO));
- the duty to register data-filing systems in the Polish data protection authority’s (DPA) register, and
- the transfers of data outside the European Economic Area (EEA).
Data Protection Officer (Polish Information Security Administrator)
The new law regulates in detail the functioning of a DPO, whose appointment is optional.
It creates a new register of DPOs to be maintained by the DPA, and it lays down rules regarding the duty to notify the appointment and dismissal of a DPO in the new DPOs register.
The most important incentive for the appointment and the registration of the DPO is the fact, that as a consequence, the data controller will be exempted from a duty to register data-filing systems to the DPA.
Qualifications of a DPO
According to the new provisions, the function of the DPO may be performed by any person who meets the following criteria:
- has full capacity for legal actions and enjoys full public rights;
- has adequate knowledge of the provisions of data protection law;
- has no criminal record for crimes involving willful misconduct.
A DPO is appointed by the data controller, who may also appoint deputy DPOs.
If the data controller comes to a conclusion that it can ensure data protection on its own, the data controller may perform the DPO’s duties directly, other than the duty to prepare a report regarding the compliance of processed personal data with data protection provisions, with no necessity to appoint the DPO.
It has to be pointed out that as a consequence, if no DPO is appointed, the company being a data controller might need in practice, anyhow, to designate a certain person in the company to perform the DPO’s duties. What is more, lack of DPO appointment and registration in the newly created DPO register maintained by the DPA means that the data controller cannot take advantage of the new exemption that allows controller to keep the data-filling systems internally instead of its registration with the DPA data filling systems register.
Functions of the DPO
In order to eliminate uncertainty regarding the scope of a DPO’s responsibilities, the new law clearly defines a DPO’s duties as follows:
- Ensuring compliance with data protection provisions, in particular by:
- observing the compliance of processed personal data with data protection law and preparing reports for a data controller;
- supervising preparation and update of documents outlining methods of processing of personal data as well as technical and organizational measures ensuring protection of processing of personal data, adequate for threats and categories of protected data and ensuring compliance with the rules specified in such documents;
- ensuring that persons who are authorized to process personal data are acknowledged with the data protection rules.
- Maintaining a public register of data-filing systems within a given data controller, excluding those which under the data protection act are exempted from notification to the DPA register.
The new provisions also envisage the possibility for DPOs to be entrusted with other duties, provided that such additional duties do not adversely affect the performance of their aforementioned primary duties.
The new regulations oblige data controllers to ensure relevant resources and appropriate levels of organizational autonomy to enable DPOs to perform their duties independently.
Registration of the DPO in the New DPOs Register, To Be Maintained by the DPA
In brief, if an appointed DPO is registered in the new DPOs register, maintained by the DPA, this will enable the company to keep data-filing systems internally, as an alternative to registering such data-filing systems with the register of data-filling systems maintained by the DPA.
The registration and cancellation of appointed DPOs in the new DPOs register will be done by using a specific form created in secondary legislation adopted pursuant to the new law. Registration of an appointed DPO in the new DPOs register will be an obligation to be fulfilled by the data controller.
The data controller is obliged to register the appointment as well as dismissal of the DPO to the Polish DPA within 30 days as of the appointment or dismissal. The DPA may issue the confirmation of registration of the DPO on the request of a data controller. The register of the DPOs maintained by the DPA will be open to public.
As regards DPOs appointed before 1 January 2015, according to the interim provisions, they will perform their function within the new scope of duties, until the moment of registration with the new DPOs register but not later than until 30 June 2015.
The DPOs appointed before 1 January 2015 will remain in their positions until the appointment of DPO on new principles, but not longer than until 30 June 2015. It seems, however, that the data controller may, before that date, cancel the "old" DPO without appointing the new one. In such case the data controller will have to occupy the created DPO duties except for the duty to prepare a report for the data controller. The DPA guidelines on how to interpret interim provisions on the DPO would be welcome.
Registration of an appointed DPO in the DPOs register will also enable the possibility to conduct DPA checking of the data controller on whether the processing of personal data complies with data protection laws via the appointed and DPA-registered DPO; in any event, the DPA will be still entitled to send its own inspectors to conduct an inspection.
It seems that the appointment and registration of the DPO in the new DPOs register, maintained by the DPA, aims on the one hand to exempt companies from the duty to register data-filing systems in the DPA’s data-filing systems register whilst, on the other hand, enabling the DPA to conduct checking to ensure data controllers’ processing of personal data complies with data protection laws by enabling the DPA to utilize for that purpose the DPOs that were appointed and registered in the new DPOs register.
Changes to the Registration of the Data-Filing Service
The appointment and registration of a DPO in the new DPOs register, to be maintained by the DPA, will exempt companies from the duty to register data-filing systems in the data-filing systems register maintained by the DPA. This rule will not apply to sensitive data and the duty to register sensitive data-filing systems in the DPA’s data-filing system register will continue to exist. In such an event, data-filing systems will need to be maintained internally by the DPO.
In addition, assuming that they contain no sensitive data, all data-filing systems kept in a form without the use of IT system, e.g. paper form, will be exempted from the duty to register them in the DPA register as well as from the duty for the DPO to maintain them internally within the company.
The internal maintenance of the data-filing systems within a company will be public; the rules governing the disclosure of the contents of such data-filing systems to the public will be laid down in secondary legislation adopted pursuant to the new law, although this has not yet been finalized.
Transfers Outside the European Economic Area (EEA)
As regards transfers to outside the EEA, the rules remain the same, albeit with certain new exceptions. The new law facilitates the procedure of data transfer outside the EEA. The main rule remains the same; namely that it is generally required to have a legal basis for such a transfer. In a business context, this is usually the written consent of the relevant data subject. In the absence of such a legal basis, in most business cases, it's not necessary to acquire the DPA’s permission before transferring data outside the EEA.
However, as of 1 January 2015, it will not be necessary to acquire the DPA’s consent if a data controller ensures the existence of relevant measures to protect privacy and the rights and freedoms of the person whose data is transferred outside EEA. Such protective measures are:
- standard contractual clauses approved by the European Commission (EC) pursuant to Article 26(4) of Directive 1995/46/EC or
- binding corporate rules (BCRs) approved by the Polish DPA in a manner set in the new law.
The DPA will approve BCRs in a form of administrative decision, but prior to the approval of BCRs, the DPA may consult it with the relevant data protection authorities in the EEA, where the entities belonging to the group have seats by transmitting to them relevant information in this scope.
The DPA while issuing the decision on the approval of BCRs will take into account the results of the consultations with other data protection authorities in the EEA, where the entities belonging to the group have seats, and in cases where the BCRs where a subject of the settling of the data protection authority of the other state placed in the EEA, it may take such settling into account.
Consequently, as of 2015, most business data transfers will no longer require the written consent of the data subject or the DPA’s permission to legitimize the data transfer to a recipient placed in a non-EEA country, provided that a data transfer agreement exists in the form of standard contractual clauses approved by the EC or there are BCRs approved by the Polish DPA.
The new rules will simplify the obligations of data controllers, but it remains up to data controllers to choose whether or not to follow the rules of the new law or to stick with the “old” requirements, which will continue to be binding.
Many practical aspects concerning implementation of the new law will be contained in secondary legislation adopted pursuant to the new law, which are still in the process of finalization. Accordingly, a complete overview of the new rules and their impact on the existing obligations of data controllers will only be possible once such secondary legislation has been promulgated. At this stage only the regulation regarding DPOs' registration and cancellation forms has been adopted.
IAPP members, for more on Poland’s new DPO registration requirements, see this Privacy Tracker post by Marcin Lewoszewski.
If you want to comment on this post, you need to login.