Poland’s government is close to passing a data protection law that has been through its third reading in the lower house of parliament. If both the upper house (Senate) and the President accept the proposed wording—and there does not seem to be any reason why they will have any objections—it will likely come into force on 1 January.
If the law passes, the role of data protection officers (DPOs) will be regulated in detail for the first time since the Polish data protection law was enacted seventeen years ago. These changes may influence organisations, as DPOs will gain significant powers in relation to auditing data controllers’ day-to-day activities and ensuring they comply with privacy regulations. In most cases data controllers will not be required to notify the data protection authority (GIODO) of databases, and it will be easier to transfer data outside of Poland. The changes are part of a package of legal acts aimed at facilitating business operations in Poland.
Currently, the appointment of a data protection officer is optional for organizations; it is not mandatory if data controllers perform the DPO role themselves. This is the case in many smaller organisations and sole entrepreneurships. If the changes come to pass, it will still be an option, probably preferred by large businesses. However, both the organisational and financial burden of the verification of data protection compliance (particularly conducting audits) will lie on data controllers and not on the GIODO.
As it currently stands, anyone can be appointed to the DPO function (in most cases the data controller’s employees from the HR or IT department are appointed as DPOs, although such practice is considered incorrect by some). Under the new law, only individuals that meet the following criteria may be given this increasingly important role: full legal capacity and the use of public rights, appropriate knowledge in the field of personal data protection and no criminal convictions. However, there is no information in the new law about how a candidate’s “appropriate” knowledge in the field of privacy should be verified or certified, or about who should do it.
A key role of the new DPO will be to verify data protection compliance and to prepare reports on this for the data controller. What is important here is that the reports, signed on each page by the DPO, will be shared with the GIODO at its request. In this way, the DPO will be fully responsible for processing data in line with Polish privacy laws. It seems that in large organisations, in view of the potential liability, the DPO may need external support due to the amount of privacy issues to deal with, and this will probably increase the costs of compliance departments. Apart from the reporting function, the DPO will be required to provide privacy training to the data controller’s employees (this aspect of the work may also be difficult for some).
A register of DPOs will be publicly available – anyone will be able to find information about the relevant person to contact with regard to privacy matters within a data controller’s operations. At first glance, this is an interesting solution for data subjects. At the same time it will also allow the GIODO to check exactly which businesses from a given sector (say FMCG or pharmaceutical) decided not to appoint a DPO and why.
Further, under the draft law, a data controller that has been assigned a DPO function will not be required to notify the GIODO of databases unless they contain sensitive data. This is good news, as until recently such requirement was strongly criticised as red tape, with no real purpose for data subjects, the GIODO or data controllers. Contrary to the current situation, the draft law offers a flexible solution; i.e., the data controller can keep an internal register of databases (within an organisation), together with documentation required by the data protection law (e.g. security policy).
Last but not least, there will be changes to the transfer of data from Poland to countries outside the European Economic Area. Currently, EU standard contractual clauses are an insufficient legal basis for such transfer. For many years multinational companies suffered, as each transfer required authorisation from the GIODO, which could take up to six months. Under the new law, execution of standard contractual clauses would be sufficient to transfer data outside Poland, without the GIODO’s authorisation.
As the new law is likely to come into force soon, DPOs should be aware of the new requirements and responsibilities involved in their role. Again, as DPOs will have to prepare and sign privacy compliance reports, it is they who will feel the changes most.