3 months since GDPR has been in force

On 25 August 2018 3 months had passed since Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”) had come into force. We have presented below a short summary on the application of GDPR.

Two meetings were held of the European Data Protection Board

On 25 May 2018 the first plenary session was held of the European Data Protection Board (EDPB) in Brussels. The members of EDPB, which will replace the Article 29 Working Party, are the European Data Protection Supervisor (EDPS), and supervisory bodies of Member States. The first meeting was also attended by the Polish President of the Data Protection Office. During this meeting, the Board elected a Chairperson for a 5-year term of office (Andrea Jelinek, Austria), as well as two Vice-chairpersons (Ventsislav Karadjov, Bulgaria, and Willem Debeuckelaere, Belgium). At a subsequent meeting, on 4-5 July 2018, procedures were discussed for co-operation and coherence in the area of exchange of information on the internal market (IMI); also discussed were changes concerning the second directive on payment services, amongst others, ways of granting and withdrawing consent, regulatory technical security, co-operation between banks and the European Commission and EDPS. A third EDPB meeting is planned for 25-26 September 2018.

Minister for Digitalization inaugurated the work of the Personal Data Protection Group

On 2 July 2018 the Minister for Digitalization organized a first meeting of the Personal Data Protection Group. The Group is to serve an exchange of experience and discussion of problems linked to implementing of GDPR, and the effect of its work is to prepare instructions, guides, answers to frequently asked questions, and prepare a key to proceedings in the most often encountered situations of over-interpretation of the provisions of the GDPR. The Group is divided into sub-teams and each sub-team will be responsible for a specific sector – e.g. concerning education or health. The first meeting of the Group was attended by over 90 people, amongst others members of the Personal Data Protection Office (PDPO).

Public consultations by the President of PDPO

The President of PDPO conducts a range of public consultations. On 15 July 2018 the President of PDPO finished the consultations concerning video monitoring of employees. The President of PDPO received 50 notifications, mostly from public entities. The effect of these consultations is to be the preparation by PDPO of sample information clauses which meet the GDPR requirements or the preparation of answers related to video monitoring used in public transport. Also the Instructions of the President of PDPO concerning the use of video monitoring will be updated. As yet there is no information on the PDPO website as to when one may expect these updates.

One may also expect an acceptance of the postulates of, amongst others, trade unions which have voiced their objections to art. 22(2) §2 of the Labor Code, which at present permits the use of monitoring in sanitary areas (washrooms), cloakrooms, as well as areas made available to the trade union. The Ministry of Family, Work and Social Policy passed on the pertinent comments to the Ministry of Digitalization for them to be taken into account during the preparation of the statute implementing the GDPR.

On 17 August 2018 the President of PDPO completed consultations concerning personal data processing in relation to employment. The effect of the consultations is to be an extension of the latest instructions of the General Inspector of Personal Data Protection in this regard, entitled “Decalogue of a recruiter”, to include issues concerning recruitment, self-employment, employment on the basis of civil-law contracts, and the rules for protection of personal data in relation to employment of foreigners.

The first deadline has expired for notifying about the appointment of Data Protection Officers (DPO)

31 July 2018 saw the lapse of the first transitional deadline, specified in the Personal Data Protection Act, for putting forward Data Protection Officers (DPO). In accordance with the Act, administrators and processing entities which have not appointed an information security administrator (ISA), and which pursuant to the GDPR are so obligated, should have sent a notification by 31 July 2018 about such person having been appointed. The next deadline related to the appointment of a DPO will expire on 1 September 2018 and relates to entities where up to 24 May 2018 an information security administrator operated, and which on 25 May 2018, by virtue of the Act, became by virtue of law a personal data protection inspector. The only correct and effective possibility of notifying the President of PDPO about the appointment of a data protection inspector is a notification in the form of an e-mail with a qualified electronic signature or signature confirmed by a ePUAP trusted profile.

We are still awaiting the Act on an amendment to the detailed acts for the purpose of adapting them to the GDPR (act implementing the GDPR). On 23 August 2018 the Permanent Committee of the Council of Ministers adopted the draft of this act.

Summary

As can be seen, the Ministry of Digitalization and the Personal Data Protection Office are still taking numerous steps to implement the GDPR into the Polish legal system. Steps such as public consultations or the creation of the Personal Data Protection Group follow above all from the needs reported by public entities and undertakings – these entities are not yet prepared for the GDPR. As follows from the PDPO website, 750 complaints had been received by the end of June 2018 related to personal data protection, 500 notifications were received about a breach of data protection, and over 600 queries concerning application of provisions.

Powiązane