On December 29, 2014, Polish legislative bodies published a regulation (secondary act) to the recently amended Act on Personal Data Protection dated 1997.
The new law, entitled Regulation of the Ministry of Administration and Digitalization of December 10, 2014, concerned template notification forms regarding the registration and revocation of data protection officers (DPOs). It came into force on January 1.
Under the secondary act, data controllers that decide to notify the GIODO of the appointment (or dismissal) of a DPO must use the official template attached to the regulation.
In my view, there are a few important elements of the notification that should be analyzed in detail before a data controller decides to go to the GIODO.
The first is that the notification is to be submitted by the data controller and not the DPO. To be more precise, a data controller is responsible for providing the GIODO with true and accurate information within the template, and not the DPO. Meaning data controllers should verify the correctness and truthfulness of the information in the notification before it is provided to the authority.
The regulation also requires the data controller to confirm that the DPO holds full legal capacity and can also use all public (civil) rights. The only way for a data controller to verify this, in my opinion, is to request the DPO to confirm the above in writing and to ensure that such confirmation is kept in the data controller’s records.
The third element that must be confirmed by the data controller is “adequate knowledge” of the DPO in relation to data protection. At first glance it may be considered easy to tell whether a DPO has “adequate knowledge”, but without any formal certifications or courses devoted to privacy/data protection, it may be difficult to prove that the DPO has sufficient skills.
The fourth element is a clean criminal background. This is a new approach as regards background checks in Polish law. From January 1, the position of DPO is one of very few job titles where a clean criminal record is mandatory under the law (in contrast, most employees of financial institutions, like banks, are not required to have a clean criminal background). This can be confirmed by an employee by providing the data controller with confirmation of a clean criminal background from the National Criminal Register.
Last but not least, the position of the DPO within the data controller’s structure must be confirmed within the notification template. Under the new law, the data controller must confirm that the DPO reports directly to the management board. In practice, this may require a change to the DPO’s employment (or other) contract.
According to information published by the legislative bodies, up to 3,000 notifications of DPOs are expected under the new law.
It will be interesting to see how the authority will check the “adequate knowledge” element, as well as how data controllers will resolve the issue of the DPO reporting directly to the management board.