It will now be easier to transfer data outside the EEA and appointment of the DPO will be optional
Removal of GIODO's approval for data export and changes to the position of DPO - amendments to the Polish DP Act to enter into force on 1 January 2015
On 1 January 2015, the amendments to the Polish Data Protection Act of 29 August 1997 (Amendments) will enter into force. The changes concern two main issues:
- Transfer of personal data to a third country that does not ensure an adequate level of protection
- Change of the functions of the data protection officer (known in Poland as the information security administrator).
EU Model Clauses
Currently, a data controller wanting to export personal data to a third country not ensuring an adequate level of protection based on EU Model Clauses needs to obtain prior approval of the Inspector General for Protection of Personal Data (GIODO). The current law creates an administrative burden for companies and is a far-reaching formality.
Under the Amendments, GIODO's consent will no longer be required if a data exporter and a data importer enter into an agreement based on EU Model Clauses.
So far the Personal Data Protection Act (PDPA) has been silent on binding corporate rules (BCRs). In practice GIODO approves BCRs. The Amendments introduce explicit provisions authorising GIODO to approve BCRs as a basis for personal data transfers to other controllers or data processors within the same group in a third country.
The Amendments also formally allow GIODO to conduct consultations with other EU data protection authorities, in particular concerning BCRs. When issuing a decision GIODO takes the results of this consultation and approvals of BCRs by other data protection authorities into account.
These changes are moving in the right direction – to facilitate data transfers without reducing the level of personal data protection. This is good news for international companies which will no longer be obliged to obtain GIODO's consent each time they want to launch a new product or IT system involving data transfer to a third country.
However it does not mean that agreements concluded on the basis of EU Model Clauses or BCRs will no longer be assessed. Currently GIODO consider whether a data transfer is adequate, proportional, and has a valid legal basis for processing and disclosing data. The burden will now be on companies and their DPOs and lawyers to assess whether particular data transfer is legal.
Data Protection Officer
At present each company in Poland by law has to appoint a Data Protection Officer (DPO) unless they are sole traders (individuals who run their own business). Under the new regime, the appointment of a DPO will be optional.
According to the Amendments, companies will have two options:
- Appoint/continue to have a DPO and notify it with GIODO
- Not appoint a DPO.
Appointing/continuing having a DPO
The advantage of appointing a DPO is that no notification of data filing systems with GIODO is needed (except those containing sensitive data). However, in exchange the following obligations will be imposed:
- GIODO will be allowed to ask the DPO to carry out an internal data compliance audit and report its results directly to GIODO (including pointing out any incompliance and providing information on how it should have been or will be solved)
- The DPO will have to provide the data controller (in practice the Management Board) with a report on the level of compliance in the organisation
- The DPO will have to keep a register of very detailed information about all data filing systems in the organisation (in the scope similar to the current data filing systems notification form). They should be either available on the company's website or access to this form should be provided at the company's premises.
A DPO should have minimum qualifications (knowledge of personal data protection law, full public rights, and cannot have been convicted of intentional crimes). The DPO should be independent within the company's structure and report directly to the controller/processor (e.g. a DPO in the group should report directly to the Management Board of the Polish entity).
Appointment or dismissal of the DPO should be notified with GIODO within 30 days. GIODO will keep a publicly available register of notified DPOs.
The DPO appointed under the old law may carry on their duties according to the new law until they are notified to GIODO, but this should be done by no later than 30 June 2015.
New tasks for DPOs and controllers/processors
In addition, the DPO will be obliged to ensure compliance with data protection rules, in particular by:
- Verifying compliance of personal data processing with legal provisions and preparing a report for the data controller/processor
- Supervising the drafting and updating of mandatory security documentation, and compliance with the rules therein, and
- Ensuring that the persons authorised to process personal data are familiar with the data protection rules.
If a data controller/processor does not appoint a DPO, it will have to perform the newly created abovementioned duties itself (except the duty to prepare a report for a data controller/processor).
The government is currently working on three secondary regulations related to performing DPO duties. This act is very important as it will make the DPO's general obligations more precise (and perhaps certain controller/processor obligations). Templates for DPO notification with GIODO and the data filings systems register are also being prepared.
It is unlikely that the government will finalise the above secondary regulations before 1 January 2015.
The aim of the Amendments is simple – to release companies from burdensome obligations for notifying data filings systems. However, as mentioned above when controllers/processors appoint a DPO they will also need to deal with other obligations.
The new DPO duties may be seen as controversial. In particular, DPOs will be obliged to track incompliances and include them in their reports. Such reports may then be used by GIODO in case of its inspections.
The Amendments may be beneficial for bigger companies which have an organised data protection staff structure. For small and medium size businesses the number of obligations and human and organisational costs related to appointing a DPO may overshadow its benefits.
The fact that a DPO is appointed in the company may be seen as a positive sign for contracting parties and consumers that such companies pay great attention to data protection compliance.
Unfortunately, at this stage since the secondary regulations are not yet finalised it is difficult to make a final informed decision as which option is best for each business. Businesses should therefore monitor the secondary regulations, especially that there is not much time left until the new rules will apply.
The Amendments are available in Polish here.