Irrespective of the fact whether we carry on our business online or not, we are under an obligation to comply with the basic rules in respect of personal data processing. Let us sum up the most important changes to the Act on personal data protection.

 

Beginning from 2015 appointing ABI is not obligatory, i.e. an entity may, but does not have to appoint a personal data controller (who decides about the purposes and objectives of data processing, e.g. a company that processes the data of its clients for the needs of sending out newsletters).    

 

An Information Security Administrator functions within the structure of the given unit. The personal data controller entrusts ABI with certain duties, including the duties linked with data processing.

 

From the viewpoint of the entrepreneur, appointment of an Information Security Administrator is connected with simplifications as well as certain obligations.  This is so because such a person will directly cooperate with the Inspector General for the Protection of Personal Data – the Inspector General may ask the Information Security Administrator that has been entered into the register for verification of the compliance of personal data processing with the provisions on personal data protection and for preparation of a report for the needs of the personal data controller.    

 

The Information Security Administrator has the following statutory duties:

1) to ensure compliance with personal data protection regulations, especially through: 

• verification of compliance of personal data processing with the provisions on personal data protection, and preparation of a report for the needs of the personal data controller, 

• oversight of the development of and updates to the documentation on the processed data, as well as compliance with the rules laid down therein, 

• ensuring that the persons entrusted with the task of personal data processing familiarize themselves with the provisions on personal data protection;

2) to keep a register of databases processed by the data controller, unless generally such databases are not subject to registration,

The data controller is under an obligation to notify the Inspector General of appointment and dismissal of ABI within 30 days of such appointment and dismissal. 

The Inspector General will keep a register of ABIs which – similarly to the register of personal databases – will be open, i.e. publicly available.

 

2. Notifications in respect of databases 

 

As a rule, the data controller should notify the Inspector General for the Protection of Personal Data about the personal databases processed in the company.  If a specific entrepreneur decides to appoint ABI and registers this function with the Inspector General, such an entrepreneur will be released from the obligation to register personal databases, except for sensitive databases - this is a new rule that should prove beneficial for enterprises.

 

3. Transfer of databases within groups of companies and to third countries

 

Until now transfers of databases within groups where not all companies were seated in the European Union appeared rather troublesome, because from the EU perspective many of such “third countries” did not meet the criteria for safe personal data processing.

 

Beginning form January 2015 the terms of transferring such data have changed. Personal data may be transferred to a third country that does not ensure a proper level of personal data protection in its territory upon consent of the Inspector General, issued as an administrative decision, providing the data controller provides proper security in the scope of protection of the privacy and the rights and liberties of the person that the data concerns.     

 

The consent of the Inspector General is not required if the data controller provides appropriate security measures in respect of protection of privacy as well as the rights and liberties of the person that the data concerns by means of:

1) standard contractual clauses concerning personal data protection, approved by the European Commission, or 

2) legally binding personal data protection rules and policies (“binding corporate rules”) that have been approved by the Inspector General and accepted within a group of enterprises for the needs of transferring personal data to another entity belonging to the same group.  

 

The above is significant form the viewpoint of both large and small enterprises (in the past it often happened that the necessary data exchange with the mother company seated outside EU was difficult).  

Overall, the amendments should be assessed as advantageous for enterprises, because they simplify the procedures in place – hence they have been included in the deregulatory package.

 

Rafał Malujda – Legal Counsel