The amendment to Poland's Personal Data Protection Act introduces new obligations of data protection officers, simplification in the data filing system registration procedure and in international data flows.
Background and Timing
On 7 November, the Polish Parliament adopted the Act on Facilitation of Performance of Business Activity (amendment), which amends, among others, the Act on Personal Data Protection of 1997 (Data Protection Act). The amendment is available in Polish here.
The amendment, signed by the president, is currently waiting for its publication in the official journal and will enter into force on 1 January.
Three significant changes are introduced:
- The position of a data protection officer, so called an information security controller (DPO)—is strengthened.
- The rules on registration of personal data filing system are simplified.
- International data flows based on model clauses (SCC) and binding corporate rules (BCR) are simplified.
Strengthening the Position of a DPO
Currently all companies need to appoint a DPO unless they are sole entrepreneurs who may perform the DPO’s tasks on their own. The amendment repeals that obligation and introduces voluntary appointment of a DPO. If a company appoints a DPO, it will benefit from the simplification in the data filing systems registration. However, in exchange for the simplification, the amendment strengthens the position of a DPO within the company and introduces a number of additional DPO tasks. Companies need to assure that DPOs may perform their tasks independently. A DPO should report directly to a CEO.
The DPO’s tasks will include:
- Assuring that the data protection rules are complied with, in particular by conducting an inspection of data processing compliance and preparing an after inspection report for the company; supervising that the information security documentation is up to date and rules set therein are complied with, and assuring that the staff is acquainted with the data protection rules;
- Conducting the company’s internal public register of data filing systems.
The Ministry of Administration and Digitalization is currently working on the implementing rules that will specify in detail the scope of the tasks.
Moreover, the amendment introduces criteria for eligibility to become a DPO. The controller is obliged to notify an appointment and dismissal of a DPO within 30 days to the Polish Data Protection Authority, the General Inspector for Personal Data Protection (GIODO) and declare before GIODO that the DPO complies with the eligibility criteria. GIODO will run the public register of DPOs.
GIODO may order a DPO to conduct an inspection on a particular issue and the DPO will submit GIODO a report on its findings.
In case a company does not appoint a DPO, the company still needs to perform the DPO’s tasks with exception of conducting the inspection, preparing the report and conducting an internal public data-filing system register.
Companies need to decide on whether to notify their DPOs to GIODO under the new rules until 30 June 2015.
Simplification of the Data-Filing System Registration Procedure
Currently, all data-filing systems containing regular data should be notified to GIODO prior to commencement of processing, and upon a notification, GIODO registers data-filing systems in the public register. There is an exhaustive list of exceptions to this obligation.
The amendment introduces a new exemption: It concerns data-filing systems that are not run in the IT systems ,that is, data-filing systems run solely in hardcopy form.
According to the amendment, companies that appoint DPOs and notify them to GIODO will be released from the notification obligation but will need to run on their own and internal publicly available register of the data-filing systems processed by them.
Simplified Rules on International Data Flows
Currently in order to lawfully transfer data to a third country not ensuring adequate protection, in most cases, controllers need to implement an appropriate mechanism, SCC or BCR, and obtain GIODO’s prior consent for such transfer.
The amendment simplifies the procedure. Controllers will not need to obtain GIODO’s consent for the transfers based on SCC implemented by a data exporter and a data importer.
Companies will still need to obtain an approval for BCRs, but GIODO may take into account in its proceedings prior decisions of other data protection authorities. This is likely to simplify the BCR approval procedure comparing to the current consent procedure.
Possible Impact of the Amendment
The amendment seems mostly beneficial for the companies involved in international data transfers as it abolishes the burdensome, costly and time-consuming procedure for obtaining GIODO’s consent for transfers based on SCC. It may also result in simplifying the GIODO’s approval procedure for BCRs.
The intention behind the amendment was to simplify the data processing rules on the data-filing system registration with benefit to businesses. And indeed, the amendment may in practice be advantageous for larger entities that already have appropriate resources in place both in terms of staff and infrastructure to smoothly accommodate extended DPO tasks.
For medium and small companies, the practical benefits of the new law are not that apparent. The amendment may not bring the expected relief and savings since, in order to benefit from the simplification, the companies would need to make sometimes substantial investments in order to assure that DPOs may perform their task in line with the new law.
The amendment may also influence international groups of companies that appoint their global or regional data protection/privacy officers based outside Poland as DPOs in Poland. Due to the number of obligations that need to be performed in Polish on the spot, or before GIODO, such foreign DPOs may have practical difficulties with continuing to perform their tasks as DPOs in Poland.
Comments
If you want to comment on this post, you need to login.