Poland recently amended its Personal Data Protection Act. The amendments, which have gone into effect, concern two main areas: (i) changes in the function of the data protection officer; and (ii) the transfer of personal data outside the European Economic Area (EEA) to a third country that does not ensure an adequate level of protection.
First, the amendments clarify that the appointment of a data protection officer, or as known in Poland, administrator of information security, is no longer mandatory. However, if a company does appoint an administrator of information security, it is exempt from data filing registration requirements with the Polish data protection authority (the GIODO) unless such data concerns sensitive personal data.
Second, the changes ensure that the EU Commission’s approved Binding Corporate Rules or GIODO’s approved Standard Contractual Clauses for data transfers are automatically recognized as adequate protection to transfer personal data to non-EEA and non-“white list” countries – something that previously required consent from the GIODO or every needed data subject. These changes by the Polish government intend to make doing business in the country easier.
Tip: The recent amendments to the data export provisions of Poland’s data protection laws should make doing business with Polish companies easier.