Amendments to the Act on personal data protection introduced at the beginning of 2015
Autor: Agnieszka Wesołowska
On 27 November 2014 the new Act on facilitating the performance of business activity was published. By virtue of these new provisions, the rules of personal data protection are subject to some changes. Below please find some brief information on the most important changes which this Act introduces into the provisions of the Act on personal data protection.
As of 1st January 2015, there are changes introduced in the rules on security of personal data protection within three areas, concerning the principles of appointing the Information Security Administrators (hereinafter: the ISA) and their competence, the registration of personal data files and the transfer of personal data to third countries.
Pursuant to the amendment, an entrepreneur, who appoints an ISA, will be required within 30 days to report this fact to the General Inspector for Personal Data Protection (hereinafter: the Inspector), which will enter the ISA into its register. In return, the entrepreneur will be exempted from reporting to the Inspector the registration of personal data files and changes made therein. These benefits, however, will not be applicable to sensitive data. Moreover, the inspections carried out by the Inspector will be less frequent. At the request of the Inspector, it will be the ISA who will be entitled to carry out such an inspection, the results of which will then be forwarded to the Inspector in the form of a report on the compliance of personal data processing with the relevant provisions on the protection of personal data. The amendment precisely lists the elements that must be included in the report prepared by the ISA. However, what is important, is that the inspection made by the ISA and further provision of the report does not exclude the right of the Inspector to conduct an inspection of this particular entrepreneur. The appointment of an ISA will not mean the obligation to employ an additional person, as it can be an employee who fulfills other tasks. It can also be a person from outside the organization, on the basis of outsourcing. The amendment specifies the tasks of the ISA, which i. a. will include ensuring compliance with the legal provisions on the protection of personal data, supervising the development and updating of the relevant documentation and ensuring familiarizing persons authorized to process personal data with the relevant provisions of law, as well as keeping a file of the data processed by the personal data administrator. The amendment also identifies the requirements which are to be met by a person appointed to the position of the ISA. Such a person must hold full capacity to enter into legal transactions and full of public rights, have adequate knowledge of the protection of personal data and must not have any crimminal record.
Any personal data administrator who fails to appoint an ISA will be required to perform the duties imposed by the Act on the ISA by themself, with the exception of the inspection report, referred to above.
Under the new legislation, the obligation of registration of personal data files will also be exempt towards entities that do not process data using information systems. This facilitation will also apply to entrepreneurs who provide personal data to countries outside the European Economic Area. Under current law provisions, such entities must obtain the permission of the Inspector, and after the entry into force of the amendment, they will be exempt from this obligation provided they apply the standard contractual clauses approved by the European Commission or the binding rules or policy of data protection approved by the Inspector.