Poland's National Legislative Center last week published a package of draft laws that, together with the amended draft of the act on personal data protection, will change the Polish legal framework to be compliant with the EU General Data Protection Regulation.
Draft data protection act — a stronger data protection authority
The draft law clarifies what tools will the DPA, which will now exist under the new name — President of the Office of Personal Data Protection, have in relation to the inspections. For example, it may request translation of all documents provided by the inspected party into Polish, at the party’s own cost. Further, the authority may access the equipment, media and IT systems where the personal data is processed and may additionally require the inspected party to make copies or prints of the documents and information stored on the mentioned media, devices or systems. Finally, the proceeding before the authority will be a one-instance proceeding. The reason for this is pragmatic. The majority of decisions issued by the DPA in the first instance were sustained in the second, so this should be seen as positive for the authority — and for complainants as matters will be dealt with faster.
As a separate note, the draft law adds one more interesting power of the authority. According to the draft, the DPA should issue recommendations specifying the technical and organizational measures used to ensure the security of the processing of personal data. Recommendations will be prepared by the authority taking into account the nature of the specific activity and will be subject to periodic updates. Projects of the recommendations should be consulted with the interested parties, whose scope of activity is covered by the given project. This will probably open a new chapter in cooperation between the controllers and processors and the DPA.
The package — its impact on the legal framework
The draft package of laws aims to be one of the largest changes to the Polish legal framework in years, covering more than 175 pages of legal text and 145 pages of justification for the proposed changes. The draft law is now subject to public consultations — it was announced and notified to almost 200 business organizations and associations, with a 30-day period for submitting the comments, opinions and proposed changes.
The changes cover laws that regulate key sectors where personal data is processed, including digital, energy, infrastructure, culture, finance (including banking and insurance), employment, sports and tourism, health and justice. Some key points from a business perspective are described briefly below.
Employment law — consent and biometric data
From a practical perspective, there are at least a few changes that are important for businesses. One of these relates to employment law. Under the current legal framework, the scope of data that can be processed in relation to employee candidates and employees is unclear and disputable. While the data protection authority takes the view that an employer should not process any data other than what’s listed in the employment law (e.g., name, surname, educational background, address) and should not ask a candidate for any other data, some practitioners argue that such an approach is groundless in the case of having consent for processing a broader scope of a candidate’s (or employee’s) data. In the past, it has been difficult, in the case of a dispute with the regulator, to prove that such consent was freely given by the applicant and valid.
Under the new draft law, this would change. According to the draft, processing by the employer of personal data other than that which is directly mentioned in respective provisions of the employment law is admissible only if it relates to an employment relationship and the candidate or the employee consents in writing or electronically. Similarly, employers would also be able to process biometric data of their employees if such data relates to the employment relationship and the employee agrees to this in writing or electronically. Both changes should be assessed as very positive for employers, as they allow for collecting more data, assuming it is adequate for the purpose of the employment relationship.
Banking law — loan providers and profiling
During last few months, there have been many discussions in Poland as to whether banks and other financial institutions (e.g., loan service providers or insurers) profile their clients; if yes, then in which cases exactly and what are the consequences of this type of processing for potential and existing customers. According to some practitioners, banks should collect additional consent for profiling, while others may argue that banks are required to profile their clients under existing law. It seems that such discussions have had an impact on the draft law implementing the GDPR. According to the published draft, the definition of “profiling” will be added to the banking law by reference to the GDPR.
In general, based on the published drafts, processing — including profiling — of personal data may be exercised by banks and lending institutions in order to assess creditworthiness and credit risk analysis. It may also be used for statistical purposes and analysis that fulfill the obligations specified in separate regulations, but only when such statistical purposes and analyzes results in non-personal data and the results do not serve as a basis for making decisions on specific natural persons. Further, such processing will, in general, be possible for the purpose of prevention of crimes.
Hotels and leisure — health data and notification
As it currently stands, it may be an issue for hotel operators and owners to find a legal basis for processing health data of its guests. Such data can cover anything from addictions to cigarettes to serious disability. The draft law clarifies this issue authorizing the entrepreneurships providing hotel services to process such data as data controllers. What’s more, one of the GDPR requirements related to providing information notices to data subjects is limited with reference to Article 14 of the GDPR. According to the draft, in the case of collecting customers’ data indirectly (i.e., from a third party), hotels should provide the data subjects with the required notices no later than when the hotel service begins. This is an important change for the sector, as according to Article 14 Section 2 (a), such information should be provided to data subjects not later than one month after obtaining the service.
As the drafts are now subject to the public consultations with business, we should wait for further comments until the law is enacted and binding. For sure, it should happen long before May 2018, so everyone has time to prepare for the new reality.
If you want to comment on this post, you need to login.