The Polish data protection authority (Generalny Inspektor Ochrony Danych Osobowych, GIODO) has published on its website, its position regarding the effect of the European Court of Justice (ECJ) ruling of 6 October in the Maximilian Schrems v Data Protection Commissioner case (C-362-14) on the invalidation of the EC Decision on the Safe Harbor mechanism.
The GIODO’s position might be of interest for all entrepreneurs acting as controllers operating in Poland which, to date, have transferred personal data to the U.S.-based recipients pursuant to the Safe Harbor mechanism.
The GIODO referred to the statement of the Article 29 Working Party of October 16, which noted, in the event that no appropriate solution is found with the U.S. authorities by the end of January 2016, and depending upon an assessment of the transfer tools by the Article 29 Working Party, EU data protection authorities (DPAs) are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.
As informally learned, starting from February 2016, GIODO may initiate more frequent inspections regarding the compliance of data transfers from Polish companies—controllers to the U.S.—recipients, taking into account that the transfer made under the Safe Harbor mechanism is now illegal. Therefore, it is very likely that the main interest of the DPA shall focus on the Polish affiliates of companies that have head offices/mother companies located in the U.S. and for which, until now, a number of intra-group transfers were based on the Safe Harbor mechanism.
In the opinion of the Polish DPA, the date expressed in the aforementioned Article 29 Working Party statement does not mean that entrepreneurs are not obliged to promptly ensure other legal basis legalizing the transfer of personal data to a third country (the U.S.), other than the Safe Harbor mechanism. In the DPA’s opinion, the period of 30 January 2016 should be considered as a maximum period, prior to which the DPAs of the member states will, as a rule, not initiate operations to enforce the above ruling.
The Polish DPA has stated that it will react to any complaints received in the specified matter, including any complaints submitted prior to 1 February 2016. In its statement, it emphasized that, given the legal effect of ECJ judgments and the fact that the court did not postpone the effects of its judgment in the Schrems case in time, the transfer of data to the U.S. based on the EC Safe Harbor Decision is invalid as of the moment the judgment was handed down.
Having in mind the above, it is recommended for companies in Poland to verify if the Safe Harbor program is still used by them and, if so, an alternative way for the transfer should be implemented, best not later than by the end of January 2016. In this context it should be noticed that the other mechanisms of transfer of personal data provided for by the Polish data protection law remain in force and can be used by companies—Polish controllers transferring personal data to recipients in the U.S. In particular, EC approved standard contractual clauses for the transfer of personal data can be used without the need of obtaining the DPA’s consent for transfer of personal data (provided that no material changes are made in those clauses comparing to their wording in the EC decisions introducing them). The other mechanism that can be used are binding corporate rules, however in order to take advantage of this mechanism, the binding corporate rules shall be first approved by the Polish DPA.
You may wish to read the original DPA statement in Polish here.
photo credit: Polish flag via photopin(license)