The launch of application of the General Data Protection Regulation required adaptation of local law to the new requirements. In Poland, the Parliament passed the Act on Protection of Personal Data May 10, 2018. The act includes, inter alia, details on appointing and notifying a data protection officer.
Data protection officers in the GDPR
The data protection officer shall be appointed by a controller or a processor mandatorily, if the conditions specified in Article 37.1 of the GDPR are fulfilled, or voluntarily if the controller or the processor considers that it is necessary as a part of its organization. The appointment of the DPO should be followed by notification of the appointment to the competent supervisory authority. In Poland, the supervisory authority is the President of the Office for Personal Data Protection (in Polish: Prezes Urzędu Ochrony Danych Osobowych, or PUODO).
DPOs in the Polish act
Under the act, a controller is obliged to notify the appointment of a DPO to PUODO. Taking into account that under former law the controller could appoint an information security administrator, the Polish legislator had to deal with a transitional period during which the ISA and the DPO may co-exist.
A person appointed as an ISA on the date of application of the GDPR becomes by law the data protection officer. Controllers are obliged to notify the appointment of the DPO to PUODO but have to take into account various deadlines subject to the origin of the DPO:
- September 1, 2018: For the appointment of those previously appointed as the ISA that will continue to perform this function as a DPO.
- September 1, 2018: For controllers that decide, though there is an appointed ISA, the DPO function will be performed by another individual upon application of the GDPR.
- July 31, 2018: For the appointment of a DPO in cases where the controller had not appointed an ISA in the past.
Also, processors that are obliged to appoint a DPO should have notified the obligatory or voluntary appointment of the DPO by July 31, 2018.
Notification on appointment of a DPO by the controller or the processor to PUODO shall take place within 14 days from the date of the appointment. The necessary elements of the notification are:
- Name, e-mail address and telephone number.
- Address of residence, if the DPO is a natural person.
- The entrepreneur's business and the address of the place of business, where the controller or processor is a natural person running a business.
- Full name and address of the registered office, if the controller or processor is an entity other than the one indicated above.
- Statistical number, if it was given to the controller or processor.
If a group of companies decides to appoint one DPO for the whole group, each and every company that is part of the group is required to notify PUODO of appointment of that appointment separately from other group companies.
The notification may be done in electronic form only. The electronic notification requires having a qualified electronic signature or signature confirmed by ePUAP profile (a trusted profile offered by Polish authorities). Both of these authentication methods may be difficult to use by individuals who are not located in Poland.
Any changes of the personal details of the DPO or the cancellation and appointment of a new DPO should be submitted to PUODO within 14 days of the date of the change.
Obligation to disclose data of the DPO
Immediately after appointment of the DPO, the controller or the processor is obliged to publish the DPO’s contact details on the company’s website.
If you want to comment on this post, you need to login.