General Data Protection Regulation (GDPR) implemented in Poland

The General Data Protection Regulation entered into force on May 24, 2016, but its validity in Poland will not start until May 25, 2018. The GDPR introduces definitions of principles for the processing, storage and use of personal data. The new regulation introduces new liability rules, possible financial sanctions and imposes new obligations on the entities dealing with the processing and use of data.

The GDPR, introduced in Poland as a part of the unification process for the entire EU in respect of regulating the principles of personal data processing, provides for general principles, which the entrepreneurs in Poland will be required to comply with. Accordingly, the companies will be required to analyse the data they already have in their storage, the procedure of sharing and storing.

The new regulation will mainly affect entrepreneurs processing significant amounts of personal data at the regional, national or international level, i.e. financial institutions, banks, internet service providers, telecommunications and insurance companies, etc. These entities will be required to implement a completely new system ensuring compliance with data protection principles, covering both technical, organizational and legal issues. The latter will involve, among others, the use of privacy protection principles at the very beginning of the design phase of specific technological solutions and taking into account how data processing may affect customer privacy, especially in cases involving customer profiling or monitoring of geolocation data collected in public places.

Additionally, the GDPR introduces a new dimension of responsibility. In addition to financial penalties and liability for damages on the part of the data administration, entities involved in the processing of collected data will be jointly and severally liable. Some entities will also be required to appoint Data  Protection Officer within their structures. This obligation will apply to all public institutions (excluding courts), units dealing with regular and automatic processing of data and those processing sensitive data.

In addition, entities such as telecommunications undertakings, banks or insurers will be required to regularly and continually assess the impact of the processing of personal data, including the assessment of threats to clients’ rights. These activities should start at the earliest possible stage in the design of data processing operations, even if some of these operations are not yet fully defined. In practice, this means that the protection of personal data will become an essential part of the basic operating standards of all entities.

Violation of the new rules will result in financial penalties, the amount of which will be determined by the type of violation and can be as high as 10 or 20 million euros.

However, the Polish Ministry of Digitization wants to exempt micro-, small and medium-sized enterprises from certain obligations under the new provisions. This possible exemption could cover the entrepreneurs employing fewer than 250 people, unless they process sensitive data and transfer it to third parties. According to the Ministry’s recommendations, they would not be obliged to inform clients about the entity acting as the data administrator, the purpose of the collection and storage time, which significantly differs from the information obligation envisaged by the regulation. However, as perceived by the Inspector General for the Protection of Personal Data, such exclusions limit consumer protection and are likely to be contested by the European Commission.