A stricter regime for profiling07 June 2016
Poland Introduces Amendments to Data Protection Legislation
Data protection officers
At present, a data controller is required under the PPD to appoint an administrator of information security ("AIS") to supervise compliance with its security principles when processing personal data within the data controller’s organization. The AIS position is somewhat similar to that of a data protection officer, but is not equivalent. In contrast with the EU Data Protection Directive, the PPD does not currently require the independence of an AIS and defines its obligation in a very limited manner. Under the proposed legislation, this will change.
According to the proposed amendments, the appointment of an AIS will no longer be obligatory. However, in cases where a data controller decides to designate an AIS, it also will be required to report the appointment and dismissal of the AIS to the DPA. The DPA will maintain a publicly available register of each person appointed as an AIS in Poland. The AIS will report directly and solely to the company’s top-level management.
The bill also expands an AIS's obligations. In particular, an AIS should ensure compliance with the provisions on the protection of personal data, especially by conducting controlling activities, preparing audit reports, developing and updating internal documentation on personal data protection, and training persons authorized to process personal data within the data controller's organization. Another new task proposed for the AIS is to maintain a register of data filing systems processed by a data controller. Moreover, the DPA will be authorized to request that an AIS conduct internal investigations within the data controller's organization to verify that personal data processing is compliant with the PPD.
Limitation of registration requirements
The proposed legislation also adds language following the provisions of Article 18 sec. 2 of the EU Data Protection Directive. In situations where a data controller appoints an AIS and notifies the DPA, the data controller will be released from the obligation to register the data filing system, unless sensitive data are processed by the data controller.
The above changes are still in the course of the legislative process. The Polish government, however, treats this initiative as a priority and would like to have the bill passed by the end of this year, or at the beginning of 2014 at the very latest.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016