At the end of March the Polish government adopted the draft of the new act on data protection (“Draft”). The Draft has been passed to the Parliament where further works are being proceeded. The new law is expected to come into force, along with the GDPR, on May 25, 2018.
The Draft aims to adapt local legal framework to the GDPR regime. The new act will replace the currently binding Act of August 29, 1997 on Data Protection. Following issues regulated in the new draft law may be particularly interesting from the perspective of data protection practitioners:
- Data Protection Officer. The GDPR introduces the position of a data protection officer (“DPO”) who will replace the current counterpart, known in Poland as an information security officer (administrator bezpieczeństwa informacji (“ABI”). The Draft includes interim provisions regarding the continued functioning of ABIs, which state that pre-appointed ABIs will automatically perform the function of a DPO, but only until 1st September 2018. By that date, controllers or processors are obliged to notify the Polish Data Protection Authority (“DPA”) about the appointment of a DPO or to provide information that the current ABI will not perform the DPO’s functions. If no notification is made, as of 1st September 2018 any pre-appointed ABIs will automatically cease to perform the function of a DPO. It is worth remembering that the appointment of a DPO is mandatory only if the criteria indicated in the GDPR are met.
- Documents to be issued by the DPA. The DPA will publish non-binding recommendations on technical and organizational measures aimed to ensure data security. Such recommendations are highly awaited since the current detailed secondary legislation on technical data protection documentation and technical and organizational conditions will be repealed. According to the Draft, the DPA will also publish the list of operations that will require to conduct the data protection impact assessment (“DPIA”). What is important – the Polish DPA has already announced the proposal of such list, which is already at the stage of public consultations. Also, the list of operations that do not require the DPIA is expected. The Polish authority has confirmed to issue the proposal of such list by May 25, 2018.
- Data breach proceedings. One of the DPA’s responsibilities will be to conduct administrative proceedings regarding personal data breaches. There will only be one single instance of administrative proceedings, but the parties will have the right to appeal to the competent administrative courts.
- Interim decisions. The new provisions entitle the DPA to issue interim decisions in the event that it is proven during the administrative proceedings that a given entity infringes data protection provisions. By virtue of such a decision, the DPA may restrict the wrongdoing entity from the processing data. Such entity will maintain the right to appeal against interim decision.
- Certification and accreditation. The Polish Centre of Accreditation (“PCA”) will be responsible for accreditation of certification bodies. Certification for the purpose of demonstrating compliance with the GDPR of processing operations by controllers and processors (art. 42 of the GDPR) will be the responsibility of the DPA and certification bodies. Accreditation and certification criteria will be published on the DPA’s website. The DPA will also maintain the publicly available register of certified controllers and processors
- Codes of conduct. Codes of conduct will be approved by the DPA. The DPA will be also responsible for accreditation of bodies allowed to monitor compliance with approved codes of conduct (art. 40 of the GDPR).
- Other issues. The Draft contains also regulations regarding inspection conducted by the DPA, the possibility of engaging police in the inspection activities, procedural aspects of data protection civil claims as well as criminal penalties for processing data without authorization or impediment of inspection proceedings.
Simultaneously the Polish government works also on a separate act that aims to adjust sectoral data protection provisions (e.g. in the labor context) to the GDPR.