Polish Data Protection Act amendment in detail
By Michał Balicki and Emilia Stępień
The amendment to the Data Protection Act of 29 August 1997 (DPA) came into force on 7 March 2011. The amendment (Journal of laws 2010 No. 182 item 1228) is intended to strengthen personal data protection by increasing its effectiveness. The Polish Data Protection Authority (GIODO) will be able to enforce its decisions more effectively.
The amendment does not impose any unique solutions in comparison to other EU countries and the Privacy Directive. The most important changes relate to
- amending the registration procedure of the data filing system;
- adding new criminal offenses, including an offense for disturbing the GIODO’s control;
- adding new GIODO entitlement to enforce its decision, including possibility to fine for non-performance of its decisions;
- the possibility to withdraw the consent by the data’s subject;
- revocation of a special provision authorizing the disclosure of personal data by the data controllers (this regulation was extraordinary comparing to the Privacy Directive scheme)—we will from now on operate and disclose data on the same basis as other EU member states,
- regulation of GIODO’s control.
1. Obligation to register new sensitive data in already-registered data filing system
The DPA imposes a new obligation on data controllers. When a data controller plans to start processing sensitive data in an already-registered data filing system, it must notify the GIODO in advance. This is an exception to the rule that states that the GIODO must be notified within 30 days from the day the changes were made.
2. New criminal offense
Another noteworthy addition to the DPA is a new criminal provision punishing any act that prevents GIODO’s inspectors from performing control activities. Such acts may include, for example, refusal to show documents, making untrue statements or preventing the inspectors from entering the entrepreneur’s registered office that is being controlled. Anyone who tries to prevent GIODO from control may be held liable, including employees and coworkers of the data controller as well as the management board. This crime is punishable by a fine, restriction of liberty or imprisonment of up to two years.
In order to prepare themselves for the amendment, controllers should implement an internal policy on how to deal with GIODO’s control and train their staff in that respect (similar to policies and training on how to deal with Antimonopoly Authority).
3. GIODO’s new entitlements to enforce its decisions
The DPA empowers GIODO to use enforcement proceedings against controllers and data processors who failed to perform its decisions. The aim of this is to encourage entrepreneurs to respect and perform GIODO’s decisions.
GIODO will be empowered to impose the following for any non-performance of its decisions:
- A fine to compel performance
- A substitute performance
- A direct enforcement
Imposing a fine to compel performance
This type of fine is highly effective as entrepreneurs find it burdensome.
Article 121 of the Enforcement Proceedings Act states that the fine imposed on individuals cannot exceed PLN 10,000 (EUR 2,500/ USD 3,300) and the fine imposed on entities cannot exceed PLN 50,000 (EUR 12,500/USD 16,500). GIODO can repeatedly impose the same or higher fines but not more than PLN 50,000 (EUR 12,500/USD 16,500) for individuals and PLN 200, 000 (EUR 50,000/USD 66,000) for entities.
4. Withdrawing consent
Another long-awaited modification of Article 7 of the DPA allows data subjects to withdraw their prior consent for processing personal data.
If the data subject exercises this power, the data controller must stop processing the personal data immediately on receipt. As an exception to this rule, the personal data processing can continue if there are legal grounds for it, for example, due to a claim. The withdrawal should be made in the same form as the original consent provided to the data controller.
This amendment will require the data controllers to adjust their procedures and systems to such withdrawals.
Current practice in Poland is to collect data subjects’ consent even if it is not necessary. Under the DPA, a data controller may process personal data based on at least one specified legitimate ground, for example, when processing is necessary to execute a contract. In such a situation, a data controller does not need to collect additional consent unless the data is being transferred outside the EU.
The main risk after a data subject withdraws his consent is if the company can further process the personal data and, if so, on what grounds. On the other hand, if the company falsely believes that it has legitimate grounds to process the personal data when actually it does not, it may be considered a breach of the DPA.
Also, if the company stops processing such personal data although they are still necessary to perform a contract between an individual and the company, the company fails to perform the contract and therefore is in breach of the contract.
Thus, at the beginning, it might be confusing for the companies to deal with the withdrawal. In our view, companies should adopt a common-sense approach and implement a procedure that describes what to do in the event consent is withdrawn—namely, who should receive it or be informed about it within the organization and how to search for another legitimate ground for the personal data processing.
One thing to notice is that when there is no other legitimate ground for personal data processing by a controller and the controller needs to stop processing data of an individual who withdraws consent, the controller should also inform any other data controllers to which the personal data were provided so they may also stop processing personal data, as there is no legitimate ground for them to conduct such processing.
5. Repealing Articles 29, 30 and 50 of the DPA
Article 29, which specified the basis for mandatory and optional access to personal data for any purpose other than inclusion in a database, has been repealed. Article 30, which specified negative conditions for making personal data available, has also been repealed. These articles did not derive from the Data Protection Directive 95/46/EC; they were specific Polish provisions for the regulation of disclosure of data.
It will still be possible to access personal data. Mandatory disclosure of personal data can be granted under Article 23(1)(2), which enables the processing of personal data if it is necessary to exercise a right or perform an obligation resulting from law. In addition, the data controller may grant access to personal data based on Article 23(1)(5) if it is necessary for legally justified purposes of the data controller or the data recipient and such access does not affect the rights and freedoms of the data subject.
In connection with the repeal of Article 29, the legislature has deleted the obligations imposed on the applicant relating to such access—namely, the obligation to submit a motion for access to personal data in writing and justification of the need to process the personal data.
These changes are not likely to have a significant practical impact. The data controller must exercise due care when processing personal data and therefore should disclose personal data only based on an adequately justified request of a potential data recipient. This way, the data controller can get protection against any potential allegations of negligence from GIODO or the data subject.
Until now, most data controllers granted access to personal data under the repealed Articles 29 and 30. Administrative decisions and jurisprudence will determine the grounds for making personal data accessible as specified in the amended DPA.
With the repeal of Articles 29 and 30, GIODO and jurisprudence might need to liberalize its current interpretation of Article 23. However, the repeal should not result in any revolutionary change in obtaining access to personal data in Poland.
6. Other changes
In addition, the amended DPA will:
- enable the creation of regional GIODO offices;
- clarify the rules relating to inspection of the data controller and the data processor and relating to GIODO’s inspection report, although the DPA reflects GIODO’s current practice;
- enable GIODO to address the public and private sector to ensure the effective personal data protection (GIODO will be able to introduce guidelines for applying and interpreting privacy and data protection law);
- enable GIODO to request competent authorities to undertake legislative initiatives and to issue or amend legal acts relating to data protection;
- repeal article 50, which sanctioned the processing of personal data for purposes that were not compliant with the original aim of the data collection. The legislature believed that this is already specified in Article 49.
Are Poland’s data controllers ready for the changes? What has Poland’s business community been doing to prepare for compliance?
Some controllers already acknowledged the forthcoming amendments and are at the final stage of implementing their new internal procedures and policies; others have already heard about the amendments but did not take any steps to implement it. I suspect that most of the data controllers will start analyzing the influence of the amendments on their organizations in coming months.
Preparing further amendments
In December 2010, GIODO opened a public consultation regarding substantial amendments to Polish privacy and data protection law, for example, the status of a privacy officer; technical and organizational security measures; personal data security in public networks, and personal data security in specific regulations (including Polish employment law).
GIODO deems the changes necessary. Firstly, there will be consultations through publicly available conferences with presentations of experts who will then prepare the relevant amendments to the existing legal acts or propose brand new legislation. We assume it will also be possible to participate in consultations by direct submissions to GIODO or through associations. Of course, we also intend to actively participate in the consultation process, and we would be happy voice comments or concerns of businesses and represent them in the process.
GIODO intends to submit its amendments to the Polish Parliament at the beginning of 2012.
Michał Balicki and Emilia Stępień are partners in the Warsaw offices of Bird & Bird.