Last year, the Polish legislative bodies enacted the changes to the Polish data protection law that came into force on 1 January 2015. The new law includes a general description of the function of a Data Protection Officer, as well as the principles of transferring data outside of the European Economic Area.

According to the law, in case of appointing an existing DPO, data controllers must have notified the authority by 30 June 2015 of appointing such DPOs under new rules. After this date, DPOs appointed under the old law, that were not notified to the authority, should not be considered as such under the new law. As it currently stands, there are more than 9800 DPOs registered, according to the publicly accessible register (please see here - available in Polish only).

Requirements towards the DPO & its status within an organisation

An individual applying for the role the Data Protection Officer has to meet the following criteria:

  • full legal capacity and full civil rights;
  • adequate knowledge of the protection of personal data;
  • never convicted of an intentional crime.

The data controller may appoint a deputy Data Protection Officer, if such person meets the above conditions. This gives a lot of flexibility as to the structure of data protection within an organisation and should be considered as an opportunity for larger data controllers. The Data Protection Officer reports directly to the head unit of the data controller. In practice, the DPO will report directly to the board or to the CEO. The data controller provides the Data Protection Officer with the means and organizational autonomy necessary for the independent exercise of the functions.

Tasks of the DPO

According to the new law, the tasks of the data protection officer are as follows:

  • ensuring compliance with the provisions on the protection of personal data, in particular by:
    • checking compliance of personal data processing with the rules on personal data protection and preparation of the report from such check for the data controller;
    • supervising the compliance of documentation required  under personal data protection law, and updating such documentation;
    • ensuring that persons authorized to process personal data are familiar with the  provisions on the protection of personal data;
  • keeping a register of data sets processed by the data controller.

Internal auditing.

The DPO will be required to conduct two different types of internal audit: for the data controller and for the GIODO (in the latter case – at the request of the authority in a scope and timeframe provided within the request). According to the law, the DPO should focus on the following areas:

  • legal basis of the processing of personal data and sensitive personal data;
  • compliance of security measures (including relevant documentation) with the law;
  • legal basis for the transfer of personal data outside of the European Economic Area;
  • database notification (registration) requirements, if applicable.

The ad-hoc audits must be conducted immediately after receiving notice of a data breach or the suspicion of a data breach.

The Data Protection Officer shall verify the above information within the internal audit process (or within an audit at the request of the GIODO), as well as on the basis of reports from employees/contractors carrying out the duties specified in the documentation of data processing.