Amendments to the Data Protection Act
Legal alert (2/2015)
Following the amendments to the Data Protection Act, which came into force at the beginning of the year, every entrepreneur should consider whether to appoint a new type of data security officer (ABI).
Following the amendments to the Data Protection Act, which came into force at the beginning of the year, every entrepreneur should consider whether to appoint a new type of data security officer (ABI). This applies also to those entrepreneurs who have already appointed such officers. The amendment is particularly important as current officers may hold their positions only until 30 June 2015.
If a data security officer is appointed:
- an entrepreneur will be released from the obligation to register personal data files with the Inspector General for Personal Data Protection (GIODO); however
- it will be necessary to enter a new data security officer in the register kept by GIODO;
- an entrepreneur’s personal data files will be registered by the officer;
- the officer may be obliged to control the entrepreneur on request of GIODO.
If a new data security officer is not appointed:
- an entrepreneur will be obliged to register personal data files with GIODO;
- an entrepreneur will not have to register the officer with GIODO;
- inspections will be carried out by GIODO staff.
Additionally, entrepreneurs which operate within international capital groups should check once again whether a transfer of personal data to group entities from outside the EU will require the consent of GIODO or whether such transfers will be possible without the consent in the light of the group's internal regulations or agreements concluded between the group's entities.
New Data Security Officer
Data Security Officers are appointed by data administrators to make sure that data protection principles are not violated.
New regulations clearly state that appointing the officer will be a right, not an obligation. Officers appointed before the effective date of the discussed regulations may hold their positions until they are entered in a new Data Security Officer register (details below), however, no longer than until 30 June 2015.
Until now anyone could be appointed a data security officer. Following the amendments, an officer will have to satisfy the following requirements:
- have a full capacity to perform acts in law and enjoy full political rights;
- have sound knowledge of personal data protection;
- have a clear criminal record with respect to intentional crime.
New regulations specify in detail the responsibilities of the officer. These will include ensuring compliance with personal data protection regulations, and keeping a record of personal data files processed by a data administrator, which is a new and especially important task.
As a compliance supervisor, a new officer will be obliged to:
- verify compliance of personal data processing with personal data protection regulations and draft a report for the data administrator;
- supervise the development and review documentation describing data processing methods and protection measures, and comply with it;
- train individuals authorised to process personal data with regard to personal data protection regulations.
An officer will report directly to the entity’s manager. According to new regulations deputy officers may be appointed and the officers may also have other responsibilities, if they do not have an adverse impact on the performance of their key tasks.
Since the role of the officer has changed, GIODO will keep a central register of the officers. Data administrators will be obliged to report any appointment and dismissal of a data protection officer. If requested by GIODO, a new officer will be obliged to inspect the compliance of personal data processing with personal data protection regulations.
This means that, although appointed by a data administrator, on request of GIODO, a data protection officer will control their home company.
During the inspection for GIODO, a data protection officer will be obliged to analyse the facts and collect evidence supporting their findings. The officer will also be authorised to request information from selected persons or carry out an examination. Any inspection will have to be followed by a written statement. The officer will also have to draft a report and submit it to the data administrator.
The new competencies of the officer as described above clearly indicate that, although appointed by a data administrator, a data security officer will have a special position within the business structure, in particular if acting on GIODO’s request.
Personal data file registers kept by a data security officer, not GIODO
The amendment introduces a new, general waiver from the obligation to register personal data files with GIODO.
Data administrators who appoint data security officers and submit their data to the record maintained by GIODO will be exempted from the obligation to register their personal data files with GIODO. The above waiver will not, however, apply to sensitive data files.
This does not mean that the data files kept by administrators will not be registered at all. The obligation will be transferred from GIODO to data security officers, who will maintain internal registers of personal data files kept by the data administrator.
A data security officer will have to keep a register of data files which so far did not have to be registered with GIODO, i.e. in particular:
- data files processed in connection with new staff hired by the data administrator or services performed for the administrator based on civil law agreements;
- data files processed only to issue an invoice or receipt or for the purposes of financial reporting;
- data files with only publicly available data.
The registration obligation will not apply to non-electronic files, provided that the files do not contain sensitive data, i.e., among other things, information about race or ethnicity, political views, religion, political or union affiliation or health.
The register of data files kept internally by an information security officer will be open and the officer will be obliged to reveal it to any interested party.
Every personal data file in the register kept by officer will have to comprise information about, among other things, the legal basis for the processing of data in the file; the reasons for the processing; types of persons whose data is in the file; scope of processed data; transfer to third countries, how the data is collected and revealed; and who receives the data.