Poland: Significant changes for data controllers in terms of registration duties and data transfer abroad
This year has brought significant changes in Polish regulations on data protection. An amendment to the Act on Personal Data Protection has considerably reshaped the registration duties burdening data controllers.
Firstly, the provisions on the so called Information Security Administrator (Polish abbreviation “ABI”) have changed. Previously an ABI had to be appointed, unless the data controller performed ABI duties personally. As of now, it is no longer mandatory to appoint an ABI (i.e., only optional). The scope of ABI duties is now also more thoroughly defined. An additional novelty is that ABIs are now registered with the data protection authority (GIODO) and may be ordered by that authority to perform compliance checks. An ABI should be an employee reporting directly to the manager of the given company department (in practice: to the management board) or to the entrepreneur in person (in the case of one-person businesses). The ABI should be equipped with proper organizational means and separated from other business units. This is supposed to allow the ABI to operate independently (with particular focus on controls ordered by GIODO). Also important is that appointment of an ABI (optional) releases the data controller from the duty to register its personal databases with GIODO.
In addition, transfer of personal data to third-party states is now considerably easier. Apart from previous possibilities for transfer (e.g. express written consent or GIODO approval) the data controller may also transfer personal data if ensuring proper security measures in terms of protecting the privacy, rights and freedoms of the person concerned. This can be achieved either by using the standard contractual clauses approved by the European Commission (under EC Directive 95/46) in the transfer agreement, or by adopting proper corporate governance guidelines. These guidelines are subject to pre-approval by the data protection authority.
The new regulations should ease the duties of data administrators. However they also bring new responsibilities. Time will tell if this is a change for the better.
Source: Act on Simplifying Business Activity of 7 November 2014, J.L. 2014, item No. 1662.