TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | POLAND—DPA vs. Google on the Information Security Administrator Related reading: Evolving privacy law 'exciting' for IAPP Westin Scholar

rss_feed

""

""

The Supreme Administrative Court, in its judgment of 21 February, supported the position adopted by the Polish Data Protection Authority (DPA) in its decision issued towards Google, Inc.

The DPA had argued that only a natural person may be appointed to the function of information security administrator; i.e., the Polish equivalent to a data protection officer (DPO), in a company and that such appointment may not include a multi-structured legal person.

On December 2011, the DPA ordered Google to remedy infringement it had committed whilst processing personal data; i.e., to remedy its previous failure to appoint an information security administrator. Google had breached the Personal Data Protection Act by having failed to appoint an information security administrator, or DPO, which came to light during a DPA investigation into the processing of personal data within Google’s Street View service.

Pursuant to the act, a data controller shall appoint an information security administrator to supervise compliance with the rules of personal data processing, unless such duties are performed by the data controller directly. In the DPA’s opinion, only a data controller who is a natural person is capable of simultaneously being appointed as an information security administrator. As regards companies that are legal persons, they shall be required to appoint a natural person as the information security administrator.

Google disagreed with the DPA’s decision and filed an application for its reversal, arguing that the essence of ensuring compliance with the aforementioned rules does not demand that such actions may only be performed by a natural person. However, neither the Voivodship Administrative Court nor the Supreme Administrative Court accepted Google’s position.

Although the relevant statutory provision indicates two possible options for ensuring compliance with the rules of personal data processing; i.e., by appointing an information security administrator or by the data controller performing these duties independently, the Voivodship Administrative Court held that, without doubt, data controllers in multi-structured companies having legal personality are required to appoint a specific person who would be responsible for ensuring compliance with the statutory rules—specifically, to supervise data protection compliance—in the function of the information security administrator.

This interpretation was based primarily on the assumption that it is necessary to enable liability to be imposed upon those who breach such supervisory duties and that the act stipulates that such failure can only lead to liability as an individual crime. Only in cases where the data controller and information security administrator are the same natural person is it possible to conclude that no doubt exists as to the identity of the person responsible for any such breaches.

The Supreme Administrative Court noted the rule that legal persons act via their constituent organs, with the result that where the data controller is a legal person, it is obliged to appoint an information security administrator. The statutory conception of a DPO independently performing such duties is envisaged to apply to natural persons who carry out business activity as sole traders.

Furthermore, a data controller who has failed to appoint a security information administrator is unable to claim that he or she is performing such duties by force of law. The act does not create any presumptions in this regard.

Comments

If you want to comment on this post, you need to login.