On 14 September 2017, a draft of the new Personal Data Protection Act “implementing” EU General Data Protection Regulation (the “PDPA Draft”) was published as well as a draft amending numerous sectoral laws (“Amending Act Draft”). As announced by the Minister for Digitization, the drafts are to be subject to extensive public consultation.
Here are the key issues covered by the announced drafts.
Electronic Services for Children Under 13 Years of Age and Consent to Data Processing
In the case of electronic services offered directly to a child under the age of 13 and staying in the territory of Poland, where the basis of data processing is the consent of the child, processing will only be possible with the prior consent of the legal representative of the child, or immediately after confirmation by the legal representative of the consent expressed by such child.
Certificate of the Compliance With GDPR
The GDPR provides for the possibility of establishing certification mechanisms that will testify to the consistency of data processing with GDPR. The PDPA draft envisages that certification will be made by the President of the Office for the Protection of Personal Data, on the basis of the request of the administrator/processor, based on the certification criteria developed and made available by the President of the Office in the Bulletin of Public Information. The application is subject to a fee of three-fold average remuneration for work in the national economy announced by the President of the Polish Central Statistical Office (in 2016, the average monthly fee was PLN 4047.21).
The President of the Office will be able to check if the entity meets the requirements for applying for/holding a certificate. The verification activities can be carried out both at the stage of the certification procedure and after the granting of the certificate.
The President of the Office for the Protection of Personal Data/Council for the Protection of Personal Data
The President of the Office for the Protection of Personal Data shall be the competent body in matters of personal data protection, who will be able to carry out his task with up to three deputies and the Office for Personal Data Protection. In addition, the President of the Office will be supported by the Council for the Protection of Personal Data (consultative and advisory body). Opinions and other council documents will be made available in the Public Information Bulletin on the website of the President of the Office.
Proceedings Concerning Infringement of the Provisions on the Protection of Personal Data
The PDPA draft specifies the rules of conduct for infringements of the provisions on the protection of personal data. The most important of these are:
- The possibility of requesting the initiation of or admission to participate in proceedings by a social organization dealing with the protection of personal data.
- The possibility of submitting documents in a foreign language and, at the request of the President of the Office, the obligation to submit translations into Polish.
- The possibility of keeping the business secrets included in the information and documents provided to the President of the Office confidential; the President of the Office may, in justified cases, waive the reservation.
- The possibility of limiting by the President of the Office (upon request or ex officio) the right of access to the evidence due to, inter alia, the possibility to disclose business secrets.
- The possibility of requiring an entity that is alleged to have infringed the provisions on the protection of personal data, to limit the processing of data.
- Immediate enforceability of the President of the Office’s decision, however, filing a complaint with the administrative court shall cause the execution of the decision to be suspended as regards an administrative penalty.
The President of the Office may conduct inspections on the compliance with the provisions on the protection of personal data – planned or off-plan checks (ad hoc) on the basis of the information obtained or analysis made.
The PDPA draft sets out the rules for obtaining information and documents that can provide evidence in the case or obtaining access to them (e.g., access to buildings, documents or IT systems). The course of control can be recorded, for example, by means of video-cameras. The course of the inspection is presented in the inspection report drawn up by the inspector. Prior to signing, the controlled entity will be able to file written objections to the report.
The inspection procedure may not last more than one month from the date on which the subject of inspection was presented with the official ID card of the officer who conducts control and authorization to carry out the inspection.
If, on the basis of the inspection report, the President of the Office considers that the data protection rules may have been breached, the President of the Office is obliged to initiate appropriate proceedings and may demand disciplinary proceedings against individuals who are guilty of irregularities. If the act or omission in question meets the criteria a criminal offense, the President of the Office is obliged to notify the law enforcement authorities.
A person whose rights under the Personal Data Protection Act have been infringed may demand that such action be terminated as well as that the infringer take necessary actions to remove its effects. Such person may also assert other claims for infringement of personal data protection regulations. The regional court (sąd okręgowy) will have the jurisdiction (regardless of the value of the subject-matter of the dispute). The court is obliged to notify the President of the Office of the filing of the suit. If a proceeding is pending before the President of the Office or an administrative court on infringement of personal data protection laws or such proceeding has been terminated, the President of the Office is obliged to notify the court and the court may suspend proceedings pending before it. The court is obliged to notify the President of the Office of any court ruling upholding the action for the abovementioned claims.
The President of the Office will be able to impose, by way of a decision, administrative fines provided for under GDPR, i.e., depending on the type of infringement: up to €20 million or 4% of the total annual worldwide turnover/up to €10 million or 2% of the total annual worldwide turnover, with a higher amount applied.
Financial penalties will be paid within 14 days from the date of expiry of the time limit for filing the complaint, or from the date of the administrative court ruling becoming final and binding. Upon reasoned request of the penalized entity, the President of the Office may postpone the payment of the penalty or spread it into installments.
The PDPA draft provides for a fine to be imposed in accordance with the procedure for misdemeanor for a person who impedes or obstructs the inspection on the compliance with the provisions on the protection of personal data. Furthermore, the PDPA draft provides for a fine, penalty of restriction of liberty or imprisonment for up to one year, judged under the Code of Criminal Procedure for processing of sensitive data without the legal basis.
Other Proposed Changes to the Sectoral Laws
Amending Act Draft contains the proposals for the changes in a number of the Sectoral Laws, including Labor Code, Telecommunications Act, Electronic Services Act, Banking Act, Payment Services Act, Public Roads Act and many others. Below you will find a summary of the proposed changes to the Labor Code. As far as the proposed changes to other regulations are concerned, we will provide more detailed information by separate posts.
Proposed Changes to the Labor Code
- Processing of the candidate/employee’s data by the employer other than the ones indicated in the Labor Code and indicating the candidate/employee’s consent as the basis for the processing of such data.
- Processing of the employee’s biometric data on the basis of consent.
- Prohibition of unfavorable treatment or negative consequences for the candidate/employee in case of non-consent to data processing (e.g. refusal of consent may not constitute grounds for refusing employment or terminating an employment contract).
- Prohibition of processing data on addictions, health status, sexuality or sexual orientation even on the basis of consent.
- Admissibility of monitoring (if necessary) of the workplace or site around the company to ensure the safety of workers or the protection of property or the secrecy of information the disclosure of which could expose the employer to a loss, and the obligation to inform employees of any monitoring measures that the employer undertakes, no later than 14 days before starting the monitoring procedure.
- Data Protection Officers – Persons who will act as information security administrators (ABI) on 24 May 2018, will act as data protection officers (DPO) until 1 September 2018. By 1 September 2018, the controller/processor must notify the President of the Office that the DPO has been designated or that ABI does not have a DPO function.
- Transfer under BCR – A controller who transfers personal data to a third country upon Binding Corporate Rules that were approved by the Inspector General for the Protection of Personal Data is entitled to transfer the data on this basis for a period of no more than 12 months from the date of entry into force of the amending act. We will be closely monitoring and keeping you up-to-date with the progress of the PDPA draft. And as always, in case of any questions, we remain at your disposal.