The Polish Parliament passed the Facilitation of Business Activity Act (source in Polish) which significantly amends the existing Act on Personal Data Protection. The amendments come into force 1 January 2015.
The changes mean that the EU Commission’s approved Standard Contractual Clauses for data transfers (“SCCs”) and approved Binding Corporate Rules (“BCRs”) are automatically recognised as offering adequate protection to transfer personal data to “third countries” (non-EEA and non “white list” countries). Previously, either prior consent was needed from every data subject, or authorisation from the Polish data protection authority – the “GIODO”. The amendments dispose of this requirement where a data controller (1) uses SCCs approved by the European Commission, or (2) has implemented BCRs approved by the GIODO. The new amendments specifically refer to BCRs for controllers or processors. The new legislation also allows for the use of BCRs which have been approved by other DPAs under the mutual recognition scheme. It remains to be seen, however, how smoothly this will work in practice.
The appointment of a data protection officer (or Administrator of Information Security (“AIS”), as it is known in Poland) is no longer mandatory under the new law. However, if an organisation appoints/continue with an AIS, it will be exempt from data filing registration requirements with the GIODO (apart from for sensitive personal data). The amendments also specify certain requirements for the AIS, such as qualifications, responsibilities, and his/her role within the organisation, e.g., s/he must report to the Management Board and have his/her details registered with the GIODO. The GIODO may require the AIS to conduct an audit of his/her organisation and report non-compliance to the GIODO. Even if an organisation does not choose to appoint an AIS, it will have to perform most of the stipulated functions itself.
Clearly the Polish Government intends by these measures to make doing business in Poland easier. The amendments cut a number of formal, bureaucratic requirements, but at the same time add to the internal compliance burden – at least so far as data protection officers are concerned.