What does this cover?

The Polish Data Protection Authority has confirmed that parties previously relying on the Safe Harbor regime should be putting in place alternative methods in order to ensure data transfers to third countries are legal.

The Polish DPA stressed that the deadline of 1 February 2016 as referenced by the Article 29 Working Party should be seen as an absolute deadline and despite the 'grace-period' afforded to member states. The Polish DPA's Inspector General will not rule out the possibility of responding to any complaints submitted in relation to this development, including those submitted before 1 February 2016, due to the immediate effect of the CJEU's judgment in the Schrems case in October 2015.

What action could be taken to manage risks that may arise from this development?

In light of comments from the Polish DPA and our previous advice regarding the invalidation of Safe Harbor, companies with presence in Poland should ensure alternative mechanisms have been put in place for data transfers to third countries (e.g. Model Clauses, BCRs, etc.).

What action could be taken to manage risks that may arise from this development?

In light of comments from the Polish DPA and our previous advice regarding the invalidation of Safe Harbor, companies with presence in Poland should ensure alternative mechanisms have been put in place for data transfers to third countries (e.g. Model Clauses, BCRs, etc.).