On 28 March 2017, the Ministry of Digital Affairs (the “Ministry”) presented a preliminary draft of some of the provisions of the new Personal Data Protection Act. The remaining part of the Act that is not included in the presented project – which concerns regulations on the new data protection authority’s system position, transitional rules, and regulations changing sectoral regulations – is still being prepared.
The project presented by the Ministry aims at implementing the General Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of data (the “GDPR”) in national law. It is worth remembering that the GDPR is, in principle, an effective act of EU law, but in some cases requires national legislative action.
According to the information provided by the Ministry advisor, the Ministry plans to present a final draft of the new Personal Data Protection Act, along with the amendments to the detailed law, in June 2017. The submission of the draft law to the Parliament is planned for autumn 2017, and the completion of its legislative process at the beginning of 2018. The new Data Protection Act should enter into force on May 25, 2018 when the GDPR begins to apply.
Below is an overview of the most important issues with regard to the currently released version of the project. Please note that it is not a final version of the draft so it may be changed.
Appointment of the President of the Office for the Protection of Personal Data in Place of The Inspector General for the Protection Of Personal Data – Competence to Impose Fines
In place of the current General Inspector for Personal Data Protection, a new body called the President of the Office for the Protection of Personal Data will be set up (the “President of the Office”).
The powers specified in the GDPR remain current, and the President of the Office will be able to impose fines on entrepreneurs. Currently, the Inspector General for Personal Data Protection does not have such powers. The maximum GDPR penalty is up to €20 million or up to 4% of turnover.
Reduction of the Age Limit for a Child to Obtain Parental Consent for Data Processing on the Internet
The consent of parents or legal guardians of a child to process his or her personal data on the Internet (e.g. on social networking sites or websites that allow you to set up emails or watch legitimate videos) will be required for children under the age of 13.
Transitional Provisions for Information Security Administrators
According to the project, persons performing the function of Information Security Administrator (Administrator Bezpieczeństwa Informacji) on 24 May 2018 will act as a Data Protection Officer (DPO) until 1 September 2018. Until then, each DPO has time to decide whether to continue to perform such function and to notify the President of the Office. In the absence of any activity on their part, on 1 September 2018, any current Information Security Administrators will cease to act as DPOs.
Additional Mechanism for Pursuing Claims for Personal Data Breaches
Article 79 of the GDPR imposes on member states the obligation to provide a separate way to pursue claims for any breach of the Personal Data Protection Act by granting the right to file “complaints” directly to the court without the involvement of the President of the Office.
According to the submitted project, the common courts have the competence to adjudicate on any complaints filed pursuant to Article 79 of the GDPR.
Data subjects will have several options for enforcing their rights. In the case of any breach of data protection law, the injured person will be able to apply to the President of the Office and after a decision has been issued, he or she may apply to the administrative court. The second possibility is to appear before the President of the Office and the general court at the same time, and the third option will be to apply only to the common court. The above does not exclude the possibility of claims for infringement of personal rights.
In order to avoid the situation in which the court and the President of the Office are dealing with the same matter, the project assumes the duty to inform each other about, among others, infringement proceedings. This will allow, for example, the suspension of court proceedings until the end of the proceedings before the President of the Office.
Obligation of the President of the Office to Issue Non-Binding Good Data Processing Practices
The bill imposes on the President of the Office the obligation to issue non-binding good practices for the processing of personal data to the extent possible for the security of data processing. It should be emphasized, however, that the administrator or processor will not be exempted from assessing which personal data protection measures should be applied in the given situation, as it may sometimes be necessary to implement more extensive measures than those foreseen in good practice.
Code of Conduct for the Protection of Personal Data
The draft proposes that the procedure for the protection of personal data should be based on the Code of Administrative Procedure. However, the proposed legislation provides for some changes and differences. These include amongst others:
- Special protection of business secrets.
- Possibility of setting a time limit for the submission of evidence in its possession.
- The right of a social organization to make a request to initiate proceedings or to participate in proceedings also in situations where the interests of the person whose rights have been violated are in favor of them.
- Departure from the principle of two instances of administrative proceedings in favor of one instance in the case of any violation of the provisions on the protection of personal data (which means that the President of the Office will issue a decision that can be challenged before the administrative court). However, the President of the Office was granted the right to self-check the issued decision: If an administrative complaint concerning the decision of the President of the Office is brought before the administrative court, the President of the Office may, within 30 days of the date of lodging such complaint and if the complaint is considered to be well-founded in its entirety, revoke the contested decision in its entirety and issue a new one, as notified by the parties. A complaint may also be filed against the new decision.
- The power of the President of the Office to issue a temporary measure, which requires the entity, which has been accused of breaching the provisions on personal data protection, to restrict the processing of personal data, indicating the acceptable scope of such processing.
- The permission of the President of the Office to give admonition by way of an administrative decision in cases where the seriousness of the breach of the provisions on the protection of personal data is negligible and the party has ceased its breach.
- Immediate enforceable decisions issued by the President of the Office. The above solution does not apply for administrative fines.
The Minister of Digital Affairs envisaged in the draft law detailed articles that regulate the rules of the inspection proceedings conducted by the President of the Office. Such inspection can be conducted in three situations:
- Planned inspection – Such inspection is to be carried out in accordance with an inspection plan previously created by the President of the Office, including information on recurrent infringements in specific sectors, without initiating administrative proceedings.
- Ad-hoc inspection – This inspection is carried out outside of the inspection plan, also without initiating any proceedings.
- Inspection in the course of administrative proceedings conducted by the President of the Office, including inspections without prior notification of such checks.
The legislator has specified that the inspection procedure cannot last more than one month. In addition, the legislator has explicitly adopted in the proposed legislation that in the course of inspection the inspector may use the assistance of officers (e.g. Police) of other state control authorities.