Alert – Personal data protection


Only 300 days are left until the entry into force of the new EU law on personal data protection i.e. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”). There are legislative works pending in Poland to implement certain provisions of the GDPR. It is also time to focus on preparing for the new law.

Works on implementation of GDPR in Poland

The basic rules on the processing of personal data in Poland are currently set forth in the Personal Data Protection Act of 29 August 1997. The GDPR’s entry into force on 25 May 2018 will greatly influence the current Polish data protection regime. On 28 March 2017, the Ministry of Digital Affairs published a preliminary and partial draft of the new Act on Personal Data Protection which will supplement the GDPR. Pursuant to the current draft, the consent of parents or legal guardians of a child to process his or her personal data on the Internet will be required for children under the age of 13. There are also detailed articles that regulate the rules of the inspection proceedings conducted by the regulator. Pursuant to the draft, the regulator’s decisions will be effective immediately. The proceedings before the regulator will be one-instance proceedings, and it will be possible to appeal the regulator’s decision directly to the court. Other provisions focus on for example: the mechanism to pursue claims for personal data breaches, a code of conduct for the protection of personal data, issuing non-binding good data processing practices, etc.

ÜThe final draft of the new Act will be ready at the beginning of August. The Polish Parliament is going to start work on the Government proposal in September/October 2017, while the completion of the legislative process is expected at the end of 2017.

Scope of regulation

The key objective of the GDPR is the harmonization of provisions regarding personal data within the EU. However, the GDPR introduces regulations that are new for Polish companies which process personal data, for example, new regulations regarding:

  • liability of a data controller and data processor, and the extension of obligations of personal data processors;
  • financial administrative penalties for non-compliance with the personal data protection regulations;
  • obligation to inform the regulator and data subjects about a personal data breach;
  • requirement to designate the data protection officer in certain cases;
  • additional rights for data subjects whose personal data is processed, e.g. the right to data portability, and the right to restriction of data processing;
  • the introduction of a broader range of information which must be disclosed to data subjects whose data is processed; and
  • duty to create an internal register of personal data processed.

Compliance with GDPR

Companies which collect and process personal data should speed up the process of implementing any necessary changes to ensure compliance with the GDPR. In particular it is recommended to focus on preparatory works such as the adjustment of templates of consents for processing personal data, and information regarding personal data processing, privacy policies, terms and conditions, templates of agreements, verification/adjustment of the internal procedures regarding personal data processing, adjustment of agreement templates to entrust personal data processing and trainings for  employees.

The GDPR establishes a tiered approach for penalties for a breach which enables the regulator to impose fines for some infringements. The maximum fine may amount to the higher of either 4% of annual worldwide turnover or EUR 20 million. As currently in Poland there are no financial fines for non-compliance with provisions on personal data protection, the provisions of the GDPR seem to significantly increase the risk associated with processing personal data for those who do not abide by the provisions on personal data protection.