The President of the Personal Data Protection Office in Poland imposed a fine amounting to PLN 943,470 for failing to fulfil the company’s transparency obligations towards over six million data subjects under Article 14 of Europe’s General Data Protection Regulation. This is the first fine imposed by the Polish DPA under the GDPR and Poland’s Act on Personal Data Protection of 10 May 2018 implementing the GDPR. The decision provides some limited insights into the interpretation of the term “disproportionate effort” within the meaning of Article 14(5)(b) of the GDPR.
A draft act on adjusting the Polish legal system to the provisions of the GDPR is under way in the lower house of the Polish Parliament (Sejm). The draft act contains, among others, provisions amending the rules for processing personal data by banks, credit institutions, loan companies and other entities regulated by Polish banking law.
Under the Data Protection Directive, each instance of data processing requires a legal justification – a “ground for processing”. This fundamental feature of EU data protection law remains unchanged under the draft Regulation. However, the bar for showing the existence of certain grounds for processing will be set higher, particularly in relation to consent. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
On 7 November 2014 the Polish Parliament passed the Act on the Facilitation of Business Activity which substantially amends the existing Act on Personal Data Protection. As we previously reported, this new Act requires an administrator for information security to be given an independent position within the data controller’s organization. Additionally, the new Act introduces provisions facilitating the transfer of personal data to countries outside the European Economic Area (further implementing provisions from Directive 95/46/EC and the proposed draft General Data Protection Regulation). The new law will come into force on 1 January 2015.
On 16 October 2013, the Polish Ministry of Economy published draft amendments to Poland’s data protection law, the Polish Act of 29 August 1997 on the Protection of Personal Data (“PPD”), aimed at easing administrative obligations regarding the compulsory hiring of data protection officers and registration of data filing systems with the Polish Data Protection Authority (“DPA”). Under the proposed legislation, companies would have the flexibility to decide whether to appoint an administrator of information security (“AIS”), currently a legal requirement. A data controller regulated under the PPD would be able to strategically choose whether to appoint an AIS, a move that would increase its compliance obligations and the company’s visibility to regulators in return for reduced external filing obligations.