Poland’s New Draft Data Protection Law Would Make Data Transfers Easier, Set New Rules for Data Privacy Officers

Despite the ongoing efforts in the European Union to revise EU data privacy law see report in this issue, Poland is working on a new national law that is expected to significantly revise the existing rules on the transfer of data outside the European Economic Area, as well as influencing the position of data privacy officers.

Under the draft law, Poland would finally recognize EU Standard Contractual Clauses and Binding Corporate Rules as bases for the transfer of data. In addition, data privacy officers would gain more powers and independence.

Current Situation: Uphill Battle Regarding Data Transfers, Almost No Rules Regarding Privacy Officers

Poland is one of only a few EU member countries that do not recognize Standard Contractual Clauses and Binding Corporate Rules (BCRs) as sufficient legal bases for transferring data to countries that do not ensure an adequate level of data protection. By sufficient we mean that no other steps are required to transfer the data in line with the law other than the execution of a data transfer agreement.

Under current law, in practice, most foreign companies face data transfer issues each time new software is implemented on a global level (e.g., where data centers are located in the United States or India), or when a new business process requires the transfer of customer data to headquarters. In such cases, the only possible way to transfer the data is to ask the Polish data protection authority, the Inspector General for the Protection of Personal Data (GIODO), for its consent for the transfer or to ask each data subject for its consent in writing, which is impractical in large organizations.¹ Such proceedings before the GIODO may take up to six months and require providing the authority with detailed information about the security measures implemented by the data importer, etc. The Standard Contractual Clauses and BCRs may be helpful in obtaining the GIODO’s consent; however, execution of the clauses or implementation of the BCRs does not trigger an automatic authorization from the GIODO for the transfer.

The consent of the GIODO for a transfer is required each time a data controller hires a new vendor or intends to transfer new categories of data for a new purpose. From a business perspective, it is an uphill battle, particularly in the fast-changing business environment.

As to privacy officers, there is only one legal provision mentioning that role. Under existing law, the data controller may appoint a privacy officer to ensure that personal data is protected within an organization. There are no other legal provisions that describe the function in more detail or provide detailed requirements that must be met by the privacy officer. In practice, many data controllers appoint employees from the information technology department or an ethics/compliance officer to fill such function.

Making Data Transfers Easier

Under the draft law, the GIODO’s consent would not be required for a data transfer if the data controller ensured adequate safeguards for the protection of privacy and the rights and freedoms of data subjects by executing Standard Contractual Clauses approved by the European Commission in accordance with Article 26 paragraph 4 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive), or if legally binding rules or personal data protection policies, referred to as “binding corporate rules,” were approved by the Inspector General in accordance with the law.

Under the draft law, the GIODO would have to approve the BCRs adopted by a group of companies for the transfer of personal data by a data controller or an entity referred to in Article 31 paragraph 1 (data processor) to another controller or data processor belonging to the same group in a third country. Before approving the BCRs, the GIODO could consult the relevant data protection authority in the country in the European Economic Area on whose territory the group company was established, providing it with the necessary information.

New Rules on Data Privacy Officers

The draft law also proposes new rules regarding the appointment, position and duties of data privacy officers.

Under the new law, the GIODO could request data privacy officers entered in its register to verify privacy compliance within the data controller’s organization (self-inspection). After this process, the data privacy officer would present a report to the GIODO. The self-inspection process would not preclude the data protection authority from conducting an independent audit of the data controller.

A data controller could appoint a data privacy officer. The tasks of a data privacy officer should include:

• ensuring compliance with personal data protection law, in particular by:

• checking that the processing of personal data complies with the rules on personal data protection, and preparing a report for the data controller;

• overseeing the development and updating of documentation required by data privacy law, and the principles it sets out; and

• providing persons authorized to process personal data with information about the rules of personal data protection; and

• keeping a register of databases containing personal data processed by the data controller, containing the file name and other information related to such personal data.

The data controller could delegate the data privacy officer to perform other duties if they did not impede the performance of the above tasks.

The draft law proposes to establish requirements for data protection officers. This is a new approach in Poland, as the level of knowledge and experience of data protection officers has sometimes been insufficient.

Under the draft law, a data privacy officer should be a person who:

• has full legal capacity and use of public rights;

• has a university education;

• has an adequate knowledge of the protection of personal data; and

• has not been convicted of an offense of willful misconduct.

A data controller could appoint alternatives to a data privacy officer who fulfilled the above conditions. The data privacy officer would report directly to the head of the organizational entity or the data controller, who would provide resources, organizational measures and authority to the data privacy officer necessary for the data privacy officer to independently exercise his tasks.

The GIODO should be notified of each data privacy officer appointed by the data controller, as well as any changes to this position.

A data controller that appointed a data privacy officer would be exempted from the obligation to register databases. However, databases of sensitive personal data would still need to be registered.²

Outlook

These proposed changes should have a positive impact on the level of protection of personal data in Poland.

On the one hand, data controllers would have to make additional efforts to protect personal data at a higher level, for example, by appointing data privacy officers meeting higher requirements. On the other hand, there would be no obligation to register databases of personal data, as is currently required.

The law is expected to come into force in early 2014.

Marcin Lewoszewski is an Associate and Tomasz Koryzma is a Partner with CMS Cameron McKenna Dariusz Greszta, Warsaw. They may be contacted at marcin.lewoszewski@cms-cmck.com and tomasz.koryzma@cms-cmck.com.