The Polish Ministry of Digital Affairs published at the end of March a partial draft of the new act on data protection. This is a clear signal that the Polish government has launched preparations for the General Data Protection Regulation.

The draft, thus far, is not a comprehensive regulation since it addresses only certain, albeit crucial, data protection issues:

1. Data Protection Officer. The GDPR introduces the position of a data protection officer that will replace the current counterpart, known in Poland as an information security officer (administrator bezpieczeństwa informacji, or ABI). The Polish draft law includes interim provisions regarding the continued functioning of ABIs, which states that pre-appointed ABIs will automatically perform the function of a DPO as outlined in the GDPR, but only until September 1, 2018. By that date, controllers or processors are obliged to notify the Polish Data Protection Authority about the appointment of a DPO or to provide information that the current ABI will not perform the DPO’s functions. If no notification is made, as of September 1, 2018, any pre-appointed ABIs will automatically cease to perform the function of a DPO. It is worth remembering that the appointment of a DPO is mandatory only if the criteria indicated in the GDPR are met.
2. Good practices on data security. The DPA will publish good practices on data security, including recommended technical and organizational measures. Such recommendations will be non-binding. Nevertheless, it means that Poland’s existing, detailed secondary legislation on technical data protection documentation and technical and organizational conditions will be repealed. This is good news for entrepreneurs since, in practice, drawing up specific Polish security documentation has been troublesome. When the new provisions enter into force, there will no obligation to keep such documentation.
3. Data breach proceedings. One of the DPA’s responsibilities will be to conduct administrative proceedings regarding personal data breaches. The DPA will be entitled not only to impose fines, but also to issue reprimands. Reprimands will be applied if the breach is insignificant and the data processing entity has ceased to infringe the law. There will only be one single instance of administrative proceedings, but the parties will have the right to appeal to the competent administrative courts.
4. Interim decisions. The new provisions entitle the DPA to issue interim decisions in the event that it is proven during the administrative proceedings that a given entity infringes data protection provisions. By virtue of such a decision, the DPA may restrict the wrongdoing entity from the processing data. The new competence is essential in order to ensure that data are protected effectively, since it enables the negative effects of breaches to be minimized before the final decision is issued.
5. Inspections. In addition to planned and ad hoc audits, the DPA will also be entitled to conduct an inspection during the course of administrative proceedings regarding data breaches brought against a particular data controller/processor. Moreover, the Polish government intends to entitle the DPA to conduct inspections without any prior notification. As a result, it may be crucial for entrepreneurs to draw up relevant internal codes of conduct to be fully prepared for any unannounced DPA inspection.
6. Accreditation. The new law will also clearly specify the rules on the accreditation of the certification bodies. Accreditation of them will be probably performed by the DPA, which will also be responsible for establishing the relevant criteria.  
7. Financial penalties. One of the most discussed topics related to the GDPR is the imposition of fines on public bodies and entities. As regards those public entities that will be subject to fines, it is planned to cap their financial liability at PLN 100,000.00 (approx. EUR 25,000.00).   
8. DPA’s guidelines. It is worth noting that the Polish authorities attend dedicated, professional conferences in order to present their approach on the most important GDPR-related issues. One such event, organized by SSW law firm together with the British-Polish Chamber of Commerce, took place on May 25 in the British Embassy in Warsaw. During the conference, the DPA representative offered reassurance that the DPA will systematically publish new guidelines aiming to facilitate the entire adaptation process. Also on May 25, the DPA published on its website a checklist of main issues to be taken into consideration when implementing the GDPR. To date the checklist, which consists of 17 points, has being successively supplemented by the relevant comments on each point. It is expected that the DPA’s comments will eventually constitute informal guidelines to be applied by or processors seeking to comply with the new provisions.

While entrepreneurs are preparing to implement changes to ensure their compliance with the GDPR, the Polish government is simultaneously seeking to adapt the current Polish legal framework. At the present moment, the new draft legal provisions are in public consultation. It is assumed that other legal acts containing specific data protection provisions might also be amended, such as the Polish Labor Code which contains specific provisions governing data protection within employer-employee relations.

photo credit: Polish flag via photopin (license)