Important changes in the Personal Data Protection Act will enter into force on 1st January 2015. These are a part of the government’s “deregulation package” (Act of 23rd October 2014 on the facilitation of pursuing business activity), which aims to facilitate doing business in Poland.
The most significant changes are:
1. Changes in the role of Information Security Administrator (ABI) According to the new law the appointment of an ABI will be voluntary. A person who performs the ABI’s duties has to have appropriate knowledge, a full legal capacity and full public rights and no criminal record for intentional offences/crimes. The entrepreneur must ensure such a person organizational independence. The ABI’s appointment is subject to the notification to the Inspector General for Personal Data Protection (“GIODO“). 2. New tasks for ABI will include:
- preparing, at the request of the GIODO, reports on processing of personal data by the entrepreneur in accordance with the provisions on the protection of personal data. The intention of the Act is that such a report shall replace the inspection of the GIODO;
- keeping an open register of data filing system processed by the entrepreneur
3. No obligation to register personal data filing systems which do not contain sensitive information (e.g. about the health), if the entrepreneur appointed and notified the ABI to the register kept by the GIODO. 4. Obligation to register will apply only to data filing systems which are subject to electronic data processing. Thus, there will be no need to report data collections which are only kept in paper form, as long as they do not contain sensitive data. 5. It will be no loner needed to obtain the consent of the GIODO for the transfer of data to countries outside the EEA which do not offer adequate level of data protection (eg. to the parent company in the US), provided that the entrepreneur will protect the transfer of data through:
- a data transfer agreement based on an unmodified version of the EU Model Clauses;
- the binding corporate rules.
What are the implications for entrepreneurs?
For international corporations and entrepreneurs who centralize the data processing processes, and consequently send information outside the EEA, the new rules mean big help. They allow, in a transparent manner, to avoid GIODO approval proceedings. Proceedings before the GIODO to obtain a permit for the transfer of data often lasted several months and delayed the implementation of the new technology and IT solutions. In turn, it is difficult to assess the changes regarding the ABI. The new law had the purpose of clarifying such a person’s role and duties in the organization. However, the secondary regulation describing all the duties of the ABI has not yet been issued. Also, the intent of the act was to allow controllers which appoint the ABI to avoid difficulties connected with inspections of the GIODO. If, in fact, doubts or objections concerning the processing of personal data by the entrepreneur arise, the GIODO will be able to instruct the ABI to clarify the issue, instead of immediately carrying out the inspection of the entrepreneur’s operations. Again, because of the missing regulation, it is yet unclear how exactly the ABI should act upon receiving a request from the GIODO. The entrepreneurs who have currently the ABI should particularly urgently examine the new statute and monitor the secondary regulation which is to follow soon. By Marek Rosiński, Radosław Nożykowski and Magdalena Kogut-Czarkowska (Baker & McKenzie Warsaw)