On Monday, January 15th, 2018, in the Column Hall of the Polish Parliament, the Ministry of Digitalization organized a meeting to summarize the public consultations on the package of legislative changes required for implementation of “GDPR”, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
The meeting concerned Ministry opinions developed after an analysis of numerous comments on the new draft of the Personal Data Protection Act, which will implement GDPR in Poland. The comments were from public consultations open to any interested parties. Attendees included representatives of employer organizations, professional associations, trade unions, scientific and expert groups and non-governmental organizations. Wolf Theiss also took an active part in the consultations.
The Ministry of Digitalization plans to finish working on the draft amendment by January 26th, 2018. By the end of January the draft should be in the Parliament with discussion ensuing in upcoming months. The GDPR will come into force on 25 May 2018 which means that Poland has time to implement the new regulation by this date.
The January 15th meeting was divided into 40 thematic blocks. Below is a summary of selected proposals for amendments that were discussed:
- The Act stipulates that the Polish Centre for Accreditation will act as the body that accredits other institutions to provide certifications. The Ministry agreed with numerous opinions that granting certification exclusively to the President of the Office will create a serious administrative burden.
- Contracting authority would require certificates from contractor in public procurement proceedings, but only as an additional condition to fulfill requirements arising from a specification.
- The Ministry decided to remove the requirement for the President of the Personal Data Protection Office to hold an academic PhD-level degree as a criterion necessary to fulfill the role. The requirement will be substituted with an obligation to hold a university degree.
- Proceedings before the President of the Office will be made in one instance. Decisions issued by the President of the Office will not be subject to a review (i.e., there will be no application for reconsideration of a case). The consequence of introducing single-instance proceedings is that the decisions issued by the President of the Office will be final and enforceable by operation of law. The decisions will be executed upon delivery to the party.
- The procedure of the appointing the President of the Personal Data Protection Office remains as the Ministry of Digitalization proposed in the draft amendment. The President would be appointed by the Sejm (the lower house of the Polish Parliament) on the request of the Prime Minister. The explanation for such procedure was clear: it will be faster and the function of the President will be simultaneously connected with the executive and the legislature.
- There will be no change in the amount of the PLN 100,000 (approx. EUR 23 981) penalty for breaking the provisions of the Act on Personal Data Protection in the public sector. The private sector would have to deal with a higher penalty, i.e., up to EUR 20 million or up to 4% of the annual global turnover of an enterprise depending on the type of violation.
- Visual and audio recordings of associated proceedings will be permitted in the course of the control.
- A Personal Data Protection Fund will be created which will be administered by the President of the Office. The Fund’s revenues will be drawn from 1% of the fines imposed by the President of the Office. To protect against fraud, clear spending targets (like trainings, educational activities etc.) will be established. Additionally, funds from penalties and the fund cannot be used for the benefit of the President of the Office or other employees.
The Polish government is considering exempting small- and medium-sized businesses from having to comply with key requirements of the incoming General Data Protection Regulation, causing alarm among privacy advocates, members of the European Parliament and the country’s data protection authority. The requirements that would be exempted for companies employing up to 250 people would include Article 13.2’s obligation to tell people how long their data will be stored and what their rights are regarding things such as objections to processing, demands for rectification and deletion, access to their data, data portability, and the right to complain to the Polish DPA, GIODO. Key observers are appalled, reports David Meyer in this exclusive for The Privacy Advisor. “The proposed exemption is too broad and does not fulfill the requirements of restriction of the obligations and rights provided for in Article 23 of the [GDPR],” said Inspector General for Personal Data Protection Edyta Bielak-Jomaa.