GIODO broadly confirms Article 29 Data Protection Working Party’s 16 October 2015 statement

The Polish data protection authority (Inspector General for Personal Data Protection – “GIODO”) has released a statement regarding the Safe Harbor Decision of the European High Court of Justice (statement available in English at The data protection authority has referred to the Article 29 Data Protection Working Party’s statement from 16 October 2015, and confirmed that under Polish data protection regulations, Standard Contractual Clauses and Binding Corporate Rules can still be used (as regulated by Articles 47 and 48 of Poland’s Act of 29 August 1997 on the Protection of Personal Data), despite of the fact that it is impossible to use the Safe Harbor adequacy decision as the basis for the transfer of personal data to the US.

In Poland, the use of Standard Contractual Clauses and Binding Corporate Rules is a particularly practical option, in light of the latest amendments to the Act on the Protection of Personal Data, which went into effect on since 1 January 2015. The amended provisions of the Act permit personal data transfers without obtaining GIODO’s consent when the controller uses Standard Contractual Clauses, as approved by the European Commission, or Binding Corporate Rules, as approved by GIODO. What’s more, the amendments granted GIODO with explicit authority to approve Binding Corporate Rules.

GIODO in its statement has also stressed that if by the end of January 2016 Member States have not developed another joint solution replacing the Safe Harbor program, GIODO will commence enforcement actions. The DPA added that the timeframe indicated by the Working Party “does not mean that entrepreneurs are not obliged to immediately adopt another legal ground legitimising transfer to third countries”. The Polish DPA’s view is that the proposed timeframe marks a period during which Member States’ DPAs shall not, generally, initiate enforcement actions. However, actions may be initiated by GIODO before 1 February 2016, particularly in relation to any complaints received by the DPA regarding personal data transfer to the US. The General Inspector is of the opinion that that due to fact that the Court did not decide to postpone the effects of its judgment in the Schrems case, “at the time of [Schrems] issuance, data transfer to the US based on the European Commission’s [Safe Harbor] decision became illegal”.