A draft of Poland’s new draft data protection law has been released and has the potential to significantly change the rules in Poland governing international data transfers and data privacy officers.
Under existing rules, Poland is an EU member state that does not currently recognise the Standard Contractual Clauses or Binding Corporate Rules (BCRs) as sufficient legal basis for international transfers of data to third countries unable to provide an adequate level of data protection. This has meant that, to date, organisations have encountered difficulties and an administrative burden each time they transfer new categories of data for a new purpose. The only way such transfers have previously been permitted is with prior written consent of every data subject (impractical for large organisations) or with the prior consent of the Polish data protection authority GIODO (such approval taking up to six months in some cases).
The draft law proposes that GIODO’s consent will no longer be required for any international data transfers where a data controller has ensured adequate safeguards for the protection of privacy, and the rights and freedoms of data subjects by the execution of data transfer agreements, incorporating Standard Contractual Clauses approved by the European Commission. Transfers to another controller or data processor within the same group in a third country will also be permitted, where the data controller has in place BCRs approved by the Inspector General.
Regarding privacy officers, the existing law only specifies that the data controller may appoint such person, with no further specifications as to functions or requirements.
The draft law expands on the right to appoint a privacy officer, adding that privacy officers may only be appointed if they have a university education and an adequate knowledge of data protection. The functions of privacy officers will be defined as:
- Ensuring compliance with personal data protection law
- Checking that processing personal data complies with the rules on data protection, and preparing a compliance report for the data controller to submit to GIODO
- Overseeing the development and updating documentation required by data privacy law
- Providing authorized persons who process personal data with information about the rule for processing
- Keeping a register of databases containing personal data
GIODO must be notified of each data privacy officer appointed by an organisation. This notification will mean that that organisation will be exempt from registration in respect of databases.