On 1st January 2015 amendments to the Polish Data Protection Act of 29th August 1997 came into force. These amendments (the “Amendments”) impact: (i) the role played by the “administrator bezpieczenstwa informacji,” (“DPO”) the individual that plays a similar role to a data protection officer; (ii) the duty to register data filing systems with the Polish data protection authority (the “DPA”); and (iii) transfers of personal data outside of the European Economic Area (the “EEA”). Each of these developments is addressed in turn.
Data Protection Officer
Whether or not a data controller chooses to appoint a DPO remains entirely optional, but the Amendments set out the qualifications that a DPO, if appointed, must possess along with its obligations, and creates a new register of DPOs maintained by the DPA.
Qualifications of a DPO
The position of DPO may, following the Amendments, only be filled by a person who has: (i) full legal capacity and enjoys full civil rights; (ii) an adequate understanding of data protection law; and (iii) no criminal record for crimes involving wilful misconduct.
A DPO is appointed by the data controller, who may also appoint deputy DPOs. If no DPO is appointed, the data controller must perform the majority of the DPO’s duties directly.
Responsibilities of a DPO
The DPO’s duties are clearly set out in the Amendments. They include ensuring that the data controller’s data processing complies with data protection laws, in part by verifying and reporting on such compliance to the data controller, supervising the drafting of and adherence to policies and standards outlining the manner in which data are processed and the technical and organizational measures that are in place to facilitate compliance, and ensuring that people authorized to process personal data are familiar with the data protection laws. It will also be the responsibility of the DPO to maintain a public register of the data controller’s data filing systems. See below in section 2 for further information on this requirement.
DPOs may have other duties, provided that such additional duties do not adversely affect the performance of those obligatory responsibilities. A DPO should report directly to a manager and, only where the data controller is a physical person (e.g. a sole entrepreneur), directly to such data controller. Data controllers must ensure that sufficient resources are made available and that appropriate levels of organizational autonomy are in place to enable the DPO to perform its duties independently.
Registration of the DPO in the new DPO register, to be maintained by the DPA
The registration of an appointed DPO with the DPA (and the removal of such registration following their dismissal) is mandatory. The form such registration will take is stipulated under secondary legislation, already in force. Any DPO appointed before 1st January 2015, will remain in their position as DPO according to the new rules set by the Amendments until as long as it is registered on the new register by 30th June 2015. If the data controller, before 30th June, does not add the DPO to the DPO register, the existing DPO will automatically cease to perform its functions , and the data controller will have to perform the DPO duties directly (aside from preparing a report for the data controller and maintaining the internal data filling systems register, duties which only exist where a DPO is appointed). If the data controller then, after 30th June, wishes to have an internal DPO the data controller will need to reappoint the DPO and notify it to the DPO register.
The DPA will be able to, where a DPO is appointed and registered with the DPO register, audit the data controller’s compliance with Polish data protection laws through the DPO by requesting that the DPO conduct an internal inspection on the DPA’s behalf and report the results to the DPA. Note that the DPA will still be able to send its own inspectors to conduct an inspection.
Changes to the Registration of Data Filing Systems
The appointment and registration of a DPO means that data filing systems previously registered with the DPA will need to be registered internally by the DPO. However, the duty to register sensitive personal data filing systems in the DPA’s data filing system register will continue to exist. If no DPO is appointed and registered with the DPA, the data controller will be still obliged to register data filling systems with the DPA register, unless registration exemptions apply.
All data filing systems not contained in an IT system, e.g. in paper form, are exempted from the duty to notify the DPA (provided that they contain no sensitive personal data) and similarly will be exempted from the duty for the DPO to include them in the internal data filing system register.
The data filing systems maintained internally by a DPO must be made public; the rules governing the disclosure of the contents of such data filing systems to the public are likely to be laid down in secondary legislation to be adopted pursuant to the Amendments.
Transfers Outside the EEA
The main rule governing transfers of personal data outside of the EEA remains unchanged under the Amendments: it is generally necessary to have the written consent of the relevant data subject to justify such a transfer and in the absence of such consent, it is generally necessary to acquire the DPA’s permission. Note that in some cases a legal basis other than consent can be relied upon.
However, following the Amendments, neither the consent of the data subject nor the DPA’s permission is required if a data controller ensures that one of the following protective measures is implemented:
- standard contractual clauses approved by the European Commission pursuant to Article 26(4) of Directive 1995/46/EC; or
- binding corporate rules (“BCRs”) for intergroup transfers, approved by the Polish DPA in accordance with the manner of approval set out in the Amendments.
The Amendment does not affect transfers to Safe Harbour certified U.S. recipients. The rules for that remain unchanged: where a certificate has been obtained under the Safe Harbor program, within the scope of such a certificate, the US recipient will be considered as ensuring an adequate level of protection to the transferring data.
It is important to note that quite aside from meeting the above additional requirements, which must be met to transfer personal data to a third country outside of the EEA , the data controller is always obliged to meet all other requirements imposed by the Polish data protection law.
The Amendments clarify the obligations of DPOs and simplify the data filling systems registration duty, but it remains up to data controllers to choose whether or not to follow the rules of the Amendments or to stick with the old requirements, which continue to be binding.
Many practical aspects concerning implementation of the Amendments with regard to the maintenance by the DPO of the internal data filling systems register and the performance of the DPO duties are expected to be contained in secondary legislation adopted pursuant to the Amendments which are still in the process of being finalized. A complete overview of the new rules and their impact on the existing obligations of data controllers will only be possible once such secondary legislation has been promulgated.
Author Joanna Tomaszewska, Ph.D., is Legal advisor and Head of the Intellectual Property, New Technologies and Protection of Information Department at Spaczyński, Szczepaniak & Wspólnicy Law Firm, Warsaw Office. She can be reached at: [email protected].