Greetings from Brussels!

Data protection just got significantly busier in Poland. Last Thursday, a draft of the new Personal Data Protection Act “implementing” EU GDPR was published by the National Legislative Centre, as well as a draft amending numerous sectoral laws — more than 130 sectors, to give you an idea. It is being reported in local Polish media as one of the biggest legislative overhauls in some time. The work is being undertaken by the Minister for Digital Affairs, and the drafts are to be subject to extensive public consultation until 13 Oct.

A major development is that the new regulation would bring about the creation of a new authority called the Office for Personal Data Protection. The chairperson (the president) would be elected by the Parliament, based on the prime minister’s proposal, for a four-year term. The chairperson would have significant influence and would be the competent body in matters pertaining to personal data protection. In addition, the function of the president would be to carry out their tasks with up to three deputies. Moreover, the PDPA Draft provides for an additional mechanism, a Council for the Protection of Personal Data, a consultative and advisory body. Opinions from the council would be made available through the OPDP. Just how these two entities would interact is not clear for now. What we have been told is that the new OPDP has been introduced to replace the existing GIODO structure, and there is an expectation that an additional 145 employees would need to be recruited to cope with the augmented work stream as a direct result of the GDPR.

Among the numerous provisions, there is one transitional provision concerning the data protection officer roles as applicable under the GDPR. Designated persons who act as "information security administrators" 24 May 2018 would — by default — act as data protection officers until 1 Sept. 2018. Then, the controller/processor must notify the president of the OPDP that a DPO has been designated or that information security officer would not retain a DPO function. Another point of interest is regarding where the GDPR provides for the possibility of establishing certification mechanisms that testify to the consistency of data processing. The PDPA draft envisages that certification guidelines would be determined by the president of the OPDP, based on the certification criteria developed and made available by the president.

There will also be new rights for members of the public to claim violations of their privacy in proceedings under civil law. Employees will be protected by the introduction of the requirement to have their consent when their personal data are collected. The draft act also regulates the retention of biometric data.

The extensive revision was led by Maciej Kawecki, who is the coordinator of the Data Privacy Reform and deputy head of the Data Management Department at the Ministry of Digital Affairs. For those of you who attended the inaugural Warsaw KNet this year, Dr. Kawecki was one of the key speakers. I spoke with Marcin Lewoszewski, co-chair of the IAPP Warsaw KNet, this week. He said an enormous amount of work had been done in the last months to map the revised PDPA draft to draft law, changing almost all legal acts regulating data privacy in Poland. The key changes cover employment law applicable to employers in Poland and sector regulations for banks and other financial institutions. Laws for other key sectors, such as telecommunications and e-commerce, will also be amended to align sector regulations with the GDPR. In Lewoszewski’s view, this is a great achievement, taking account of the pressure and influence exerted from a broad range of stakeholders; it should be appreciated. He went on to add that with as little as eight months left before May 2018, Polish business can refocus their energies with a greater sense of compliance predictability to get prepared for life under the new European data protection reforms.