For more information, please contact:
+48 22 445 32 66
+48 22 445 32 10
Amendments to the Polish Personal Data Protection Law will take effect on 1 January 2015
On 1 January 2015, important changes to the Personal Data Protection Act (the "Act") will enter into force, which form part of the government's “deregulation package” (Act on the Facilitation of Performance of Business Activity), and which aim to facilitate doing business in Poland.
The most significant changes include:
1. Changes in the role of the Information Security Administrator ("ABI").
According to the new amendments, the appointment of an ABI will be optional. A person is eligible to perform the duties of an ABI, provided that he has sufficient knowledge of the provisions of the data protection law, full legal capacity and full public rights, and must have no criminal records for intentional crimes. Companies must ensure organizational independence for the ABI. In addition, the Inspector General for Personal Data Protection ("GIODO") must be notified, within 30 days, of the ABI's appointment and/or dismissal. ABIs who were appointed according to the old provisions may carry on their duties according to the new law until they are notified to the GIODO's registry, which should not be later than 30 June 2015.
2. New tasks for the ABI.
The additional tasks of the ABI include:
conducting an internal investigation, at the request of GIODO, to verify that processing of personal data by the company is compliant with the provisions of the Act. This internal audit is intended to replace the previous requirement that each complaint is subject to inspection by the GIODO;
keeping an open register of data filing systems processed by the company.
Companies which appoint ABIs and notify GIODO will be released
+48 22 445 34 52
from the obligation to register the electronic data filing systems, unless sensitive data are processed.
3. No more obligation to register personal data filing systems with GIODO if they do not contain sensitive information and are in hardcopy format only.
Under the new amendments, a company is no longer mandated to register with GIODO personal data filing systems which are only kept in paper form, and which do not contain sensitive data (e.g., data on health). This exemption will also apply to controllers which choose not to appoint ABIs.
4. No need to obtain the consent of GIODO for transfers of data to countries outside the EEA, provided that certain conditions are fulfilled.
The new amendments simplify the procedure for international data transfers (e.g., to the parent company in the U.S.). Transfers of data to countries that do not offer adequate levels of protection are allowed, provided that the parties:
execute a data transfer agreement based on an unmodified version of the EU Model Clauses;
implement binding corporate rules approved by the GIODO.
What are the implications for businesses?
For international corporations and entrepreneurs who centralize the data processing processes, and consequently send information outside the EEA, the new rules are very beneficial. The rules eliminate, in a transparent manner, the burdensome and expensive approval proceedings conducted by GIODO, which would often take several months to complete and would often result in the delay of the implementation of new technological and IT solutions.
It is difficult to assess at this stage the changes concerning the ABI, as the Ministry of Administration and Digitalization is still currently working on the implementing rules that will specify in detail the scope of the ABI's tasks. At this point, it is only prudent for companies to closely examine the new statute and monitor the secondary regulation which is to follow soon.