On 16 October 2013, the Polish Ministry of Economy published draft amendments to Poland’s data protection law, the Polish Act of 29 August 1997 on the Protection of Personal Data (“PPD”), aimed at easing administrative obligations regarding the compulsory hiring of data protection officers and registration of data filing systems with the Polish Data Protection Authority (“DPA”). Under the proposed legislation, companies would have the flexibility to decide whether to appoint an administrator of information security (“AIS”), currently a legal requirement. A data controller regulated under the PPD would be able to strategically choose whether to appoint an AIS, a move that would increase its compliance obligations and the company’s visibility to regulators in return for reduced external filing obligations.
Data protection officers
At present, a data controller is required under the PPD to appoint an administrator of information security (“AIS”) to supervise compliance with its security principles when processing personal data within the data controller’s organization. The AIS position is somewhat similar to that of a data protection officer, but is not equivalent. In contrast with the EU Data Protection Directive, the PPD does not currently require the independence of an AIS and defines its obligation in a very limited manner. Under the proposed legislation, this will change.
According to the proposed amendments, the appointment of an AIS will no longer be obligatory. However, in cases where a data controller decides to designate an AIS, it also will be required to report the appointment and dismissal of the AIS to the DPA. The DPA will maintain a publicly available register of each person appointed as an AIS in Poland. The AIS will report directly and solely to the company’s top-level management.
The bill also expands an AIS’s obligations. In particular, an AIS should ensure compliance with the provisions on the protection of personal data, especially by conducting controlling activities, preparing audit reports, developing and updating internal documentation on personal data protection, and training persons authorized to process personal data within the data controller’s organization. Another new task proposed for the AIS is to maintain a register of data filing systems processed by a data controller. Moreover, the DPA will be authorized to request that an AIS conduct internal investigations within the data controller’s organization to verify that personal data processing is compliant with the PPD.
Limitation of registration requirements
The proposed legislation also adds language following the provisions of Article 18 sec. 2 of the EU Data Protection Directive. In situations where a data controller appoints an AIS and notifies the DPA, the data controller will be released from the obligation to register the data filing system, unless sensitive data are processed by the data controller.
The above changes are still in the course of the legislative process. The Polish government, however, treats this initiative as a priority and would like to have the bill passed by the end of this year, or at the beginning of 2014 at the very latest.