Agnieszka Szydlik, Barbara Majewska

Amendment of Personal Data Protection Act

The Polish Inspector General for Personal Data Protection will have authority to impose fines for failure to comply with data protection orders. The ability to withdraw consent to processing of personal data has also been clarified.

Amendments to the Personal Data Protection Act 1997 go into effect on 7 March 2011. This is the most important set of changes in the act since 2004, significantly expanding the authority of the Inspector General for Personal Data Protection (GIODO) and modifying certain rules for processing of personal data to achieve more effective enforcement of data protection obligations. The changes also represent further implementation of the European Union’s Data Protection Directive (95/46/EC).

Changes concerning GIODO

The biggest changes in the act concern GIODO and the authority of the Inspector General. GIODO has now been vested with authority to enforce non-monetary administrative obligations imposed under decisions issued by GIODO. Decisions that will be enforceable by GIODO are those that impose on the respondent the obligation to act in a specific manner, e.g. an order to bring operations into compliance with the law or an order restricting processing of data to storage only.

This change also entails changes in the Act on Administrative Execution Proceedings, under which GIODO has now become an enforcement authority, and in the event of failure to comply with non-monetary obligations imposed under administrative decisions, GIODO will be able to impose execution sanctions in the form of a fine to compel performance. The scope of this regulation covers all obligations imposed by GIODO, i.e. an obligation to cease and desist or an obligation to perform a specific action. GIODO will be able to issue an order imposing a fine to compel performance, and if compliance does not follow, GIODO will issue a writ of enforcement and file it with the tax office with a motion to commence execution. A fine may be imposed multiple times.

The amending act also establishes two new non-executive competencies of GIODO, under the new Art. 19a of the Personal Data Protection Act. Namely, GIODO will be able to officially address authorities of the central and territorial government, public organisational units, and legal and natural persons generally, in order to further the effective protection of personal data. GIODO will also be authorised to initiate legislative proposals involving personal data protection.

Another change involves the organisation of personal data protection offices, authorising GIODO to open field offices when justified (Art. 13(1a)). This is designed to provide citizens improved access to the Polish data protection authority.

Changes concerning access to data

Art. 29 and 30 of the act have been repealed. These provisions governed release of data for purposes other than adding them to a database by a data controller. This change was designed to adapt the act to EU regulations, particularly the Data Protection Directive. From 7 March 2011, the basis for demanding access to personal data will thus be the general provisions set forth in Art. 23(1) and 27(2) of the Personal Data Protection Act.

Change concerning consent to processing of data

The amendment clarifies the wording of Art. 7(5) of the act, which governs the permissibility of withdrawing consent to processing of personal data, an issue that had been the subject of much controversy in the literature. Now Art. 7(5) provides for the ability to withdraw consent at any time, effective from that time forward.

Barbara Majewska and Agnieszka Szydlik, Personal Data Protection team, Wardyński & Partners