Client Alert Client Alert

The Polish personal data protection act is closer to completion

The meeting concerned Ministry opinions developed after an analysis of numerous comments on the new draft of the Personal Data Protection Act, which will implement GDPR in Poland. The comments were from public consultations open to any interested parties. Attendees included representatives of employer organizations, professional associations, trade unions, scientific and expert groups and non-governmental organizations. Wolf Theiss also took an active part in the consultations.   

The Ministry of Digitalization plans to finish working on the draft amendment by January 26th, 2018. By the end of January the draft should be in the Parliament with discussion ensuing in upcoming months. The GDPR will come into force on 25 May 2018 which means that Poland has time to implement the new regulation by this date.

The January 15th meeting was divided into 40 thematic blocks. Below is a summary of selected proposals for amendments that were discussed:

  • The Act stipulates that the Polish Centre for Accreditation will act as the body that accredits other institutions to provide certifications. The Ministry agreed with numerous opinions that granting certification exclusively to the President of the Office will create a serious administrative burden.
  • Contracting authority would require certificates from contractor in public procurement proceedings, but only as an additional condition to fulfill requirements arising from a specification.
  • The Ministry decided to remove the requirement for the President of the Personal Data Protection Office to hold an academic PhD-level degree as a criterion necessary to fulfill the role. The requirement will be substituted with an obligation to hold a university degree.
  • Proceedings before the President of the Office will be made in one instance. Decisions issued by the President of the Office will not be subject to a review (i.e., there will be no application for reconsideration of a case). The consequence of introducing single-instance proceedings is that the decisions issued by the President of the Office will be final and enforceable by operation of law. The decisions will be executed upon delivery to the party.
  • The procedure of the appointing the President of the Personal Data Protection Office remains as the Ministry of Digitalization proposed in the draft amendment. The President would be appointed by the Sejm (the lower house of the Polish Parliament) on the request of the Prime Minister. The explanation for such procedure was clear: it will be faster and the function of the President will be simultaneously connected with the executive and the legislature.
  • There will be no change in the amount of the PLN 100,000 (approx. EUR 23 981) penalty for breaking the provisions of the Act on Personal Data Protection in the public sector. The private sector would have to deal with a higher penalty, i.e., up to EUR 20 million or up to 4% of the annual global turnover of an enterprise depending on the type of violation.
  • Visual and audio recordings of associated proceedings will be permitted in the course of the control.
  • A Personal Data Protection Fund will be created which will be administered by the President of the Office. The Fund’s revenues will be drawn from 1% of the fines imposed by the President of the Office. To protect against fraud, clear spending targets (like trainings, educational activities etc.) will be established. Additionally, funds from penalties and the fund cannot be used for the benefit of the President of the Office or other employees.

Read the full text

Download PDF