Data protection versus economic operator
There's still some time left, but less and less time. The General Data Protection Regulation enters into force in May 2018. Entrepreneurs must hurry to implement the new regulations. The government is already working on a new draft law on personal data protection.
The General Data Protection Regulation (GPR) is a legal act that creates fear among those processing personal data. Not only because of draconian fines (up to €20 million or 4% of the annual global turnover for the previous financial year), but also because of the need to adapt to completely new legal regulations. Only a part of the new obligations imposed on entrepreneurs will be presented below.
One of the novelties is undoubtedly the obligation to keep a register of personal data processing activities. Undertakings employing fewer than 250 persons shall be exempt from the obligation to keep such a register, unless the processing of data by them is likely to give rise to risks of prejudicing the rights or freedoms of data subjects, is not of an occasional nature or concerns the processing of sensitive data or personal data relating to criminal convictions and infringements. The Register may be kept in writing, including electronic form. The detailed scope of information to be included in the Register of Personal Data Processing Activities is set out in Article 30(1) and (2) of the ARO.
The RODO also introduces an obligation to report personal data breaches to the supervisory authority. The administrator has 72 hours to make such a notification, counting from the moment of its finding, and in case of exceeding this deadline should attach explanations of the reasons for the delay. The Regulation introduces a certain loophole for the controller of personal data - he is exempted from the notification requirement if the breach of personal data protection is unlikely to entail a risk of a breach of the rights or freedoms of natural persons.
The controller shall document any personal data breaches in such a way that the documentation allows the supervisory authority to verify the controller's compliance with the obligation to notify and the obligations relating thereto. In addition, where a personal data breach may result in a high risk of a breach of the rights or freedoms of individuals, the controller shall, without undue delay, notify the data subject of the breach. In this case, the controller may also fail to comply with the notification obligation, inter alia, where informing the data subject would require a disproportionate effort or where the controller has subsequently taken measures to eliminate the likelihood that the rights or freedoms of the data subject would be compromised to a high degree of risk.
The RODO introduces a definition of 'personal data breach', specifying that it is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access to personal data transmitted, stored or otherwise processed.
Compared to the previous national provisions of the Personal Data Protection Act, the RODO quite significantly extends the scope of the information obligation. The controller should, inter alia, indicate to the data subject the period for which personal data will be stored, and when this is not possible, the criteria for determining this period, information whether the provision of personal data is a statutory or contractual requirement or a condition for the conclusion of a contract, and whether the data subject is obliged to provide such data and what are the possible consequences of not providing such data. It should also indicate to the data subject information about automated decision-making, including profiling.
In the light of the new regulation, there will be no more information security administrators. They will be replaced by Data Protection Officers (DPOs). In principle, the setting up of the DPO is optional. However, an DPO must be designated in three situations where: (a) the processing is carried out by a public authority or body, with the exception of courts in the exercise of their judicial powers; (b) the main activities of the controller or processor consist of processing operations which, by their nature, scope or purposes, require regular and systematic large-scale monitoring of data subjects; or (c) the main activities of the controller or processor consist of large-scale processing of special categories of personal data referred to in Article 9(1) of the Regulation and of personal data relating to criminal convictions and infringements.
New law on personal data protection
In connection with the imminent entry into force of the general regulation on personal data protection, the Polish legislator is working on a draft of a new act on personal data protection. As most substantive issues are regulated by an EU regulation, the new Data Protection Act will focus on procedural issues. It will specify the procedures related to accreditation and certification, i.e. the possibility of obtaining a "licence" for the granting of certificates, and certification of private entities, i.e. the confirmation that a given company meets the requirements of the RODO. The law will also regulate the infringement procedure for personal data protection and the control procedure. It introduces, among others, a regulation according to which the President of the Office for Personal Data Protection (who will replace the GIODO) may stop at a reminder if he finds that the entrepreneur violates the provisions on personal data protection to a negligible extent and if the party has ceased the violations. The control provisions have also changed. The draft act provides, among other things, for the right of the controlling party to be assisted by officers of other state control bodies or the police. It seems that the use of the police when controlling personal data is too repressive.
It is also worth noting that in the proposed act on personal data protection, administrative fines for public entities cannot exceed PLN 100 thousand. The possibility of separate regulation of fines in relation to public sector entities is provided for in the Code of Ethics of the Republic of Poland. This does not change the fact that if an entrepreneur violates the provisions on personal data protection, he may be fined up to EUR 20 million, whereas in the case of the same or much more severe violation of the provisions on personal data protection by a public entity, the penalty is significantly lower.
Bearing in mind the mass of new obligations under this Regulation, every trader should take appropriate action as soon as possible. Especially as the rules of the RODO are largely unclear, they are also characterised by a high degree of generality and "soft" terms. However, it is clear that all businesses should thoroughly review their data protection documentation and consider how to implement the various requirements of the RODO.