The Polish Ministry on Digital Affairs has published a new draft personal data protection act that will accompany the entry of the EU General Data Protection Regulation in Poland. The draft has not been finalized and will be put out to public consultation.

The major changes mostly concern procedural aspects of proceedings carried out by the Polish data protection authority aimed at providing effective legal tools.

New powers of the Polish DPA

  • Of immediate concern for data controllers is that the DPA’s decisions will be effective immediately. Submitting a complaint against the DPA’s decision will suspend the decision with reference to administrative fines.
  • During proceedings the DPA can issue an interim order restricting the scope of data processing (e.g. suspending the transfer of data to the U.S.). The interim order may last until the end of the proceedings and cannot be appealed. If it later transpires that the interim order was unjustified, the entity can seek damages in civil proceedings against the DPA.
  • Proceedings before the DPA will be one-instance proceedings. Currently, there are lengthy two-instance proceedings where the DPA assesses the matter twice. Now, the DPA’s decision can be appealed directly to the court.
  • The DPA may set a deadline for submitting evidence in the possession of the party during the proceedings. The deadline must give at least 3 days, which could be tight in terms of sourcing some documents in the corporate environment. No sanction is stated for failure to comply.
  • The DPA may require a Polish translation of the evidence submitted by a party in the proceedings, at the expense of the party.

Inspections and dawn raids

New powers will require data controllers and data processors to be always ready for inspection:

  • The DPA will be allowed to perform an inspection without prior notice, instead of the current minimum seven days’ notice.
  • During the inspection the DPA may request assistance from other authorities. This includes the police and means there’s a need to be prepared for raids.
  • The inspector will be able to interview — as witnesses — persons employed by the entity being inspected. Witnesses will be subject to criminal liability for making false statements or concealing the truth.

Administrative fines vs. civil claims

  • The final amount of administrative fines will be decided by the administrative court (upon filing a complaint). Nevertheless, the civil court will be able to award civil damages to the data subject whose rights have been infringed. The decision on the amount of the civil damages remains in the hands of the civil court.
  • The administrative and civil path will be independent, but the draft legislation lays down specific procedures requiring one authority to inform the other about initiated proceedings (the DPA must inform the court about administrative proceedings and the court must inform the DPA about civil proceedings).

Data protection officer

  • Information security administrators active on May 24, 2018, will act as data protection officers until September 1, 2018. During this time, data controllers and processors will have to notify the DPA about the appointment and/or resignation of DPOs.

Material changes

Minors over 13 years of age may consent to data processing without additional consents from parents or legal guardians. This material change is important for international online service providers.

Please note that the draft legislation is not final or exhaustive and might be subject to change. The Ministry plans to publish a finalized draft in autumn of 2017 with a view to completing the whole legislative process by early 2018. The finalized draft will be subject to consultation. 

photo credit: Polish flag via photopin