Polish data protection authority announced the launch of inspections regarding compliance with regulations concerning data protection officers and published questions to be asked by the Polish authority in the course of such inspections.
From the beginning of the application of the provisions of the GDPR, the Polish Office for Personal Data Protection, both as part of the ongoing proceedings and in response to reported cases of non-compliance with the provisions on data protection officers, took actions resulting from its powers, specified in art. 58 of GDPR. The previous experience of the supervisory authority in this area has been used to formulate a list of issues which – together with the presentation of relevant evidence – will have to be addressed by the requested controllers and processors.
From the moment of the application of the GDPR, during the basic control activities, the issues of compliance with the provisions on the proper appointment and functioning of the officers were checked. There were checked, inter alia, issues related to the obligation to appoint the officer, notify the supervisory authority of the appointment or dismissal of the officer, publication of the officer’s name and surname on the website of the administrator, the location of the officer in the organization’s structure, as well as a possible conflict of interest.
In most cases, this verification turned out to be positive and did not give rise to the application of corrective powers. Only in a few cases, the Polish Personal Data Protection Office found irregularities in the scope of a conflict of interest, e.g. in the performance of the function of the DPO by the commune secretary, or failure to consult the officer on personal data processing operations.
Several cases of violations of regulations related to the performance of the officer’s function required the supervisory body to take corrective actions specified in Art. 58 sec. 2 of GDPR, including the issuing of an order to appoint a data protection officer in a housing cooperative, as well as the imposition of an administrative fine in connection with the performance of the officer’s tasks without due consideration of the risks associated with processing operations and the officer’s non-involvement in the processing.
In every situation reported by inspectors, the Personal Data Protection Office pursuant to Art. 58 sec. 1 lit. a and e of the GDPR called on administrators to provide explanations regarding the solutions adopted by them in terms of a specific obligation resulting from the provisions on the protection of personal data, together with the presentation of detailed and evidence-based information on the regulations and practices adopted in order to properly implement this obligation. In all these cases, the controllers indicated that they had taken steps to bring their activities in line with the provisions on data protection officers, presenting revised detailed organizational solutions serving this purpose. Only in one case was a decision issued in which the supervisory authority issued a warning stating that the administrator infringed the provision of Art. 38 sec. 6 GDPR.
The Polish Personal Data Protection Office has developed a detailed set of questions that the supervisory authority, exercising its powers, will direct to controllers and processors, both in the public and private sectors. The questions are as follows:
1) Has the data controller appointed a data protection officer (DPO)?
2) Is the data controller obliged to appoint a DPO (if so, on what legal basis), or has the DPO been appointed despite the lack of such obligation?
3) Has the data controller published the name and surname and contact details of the DPO on its website or – if it does not maintain its website, in a generally available manner at the place of its business?
4) Is the above-mentioned information placed in a generally accessible place (please indicate this place, in the case of a website, please indicate its address and link to this information)?
5) Is the data protection officer an employee of the data controller, and if not, on what legal basis does it perform its duties?
6) Has the DPO been appointed exclusively by the data controller, or does the DPO also perform these duties for other data controllers?
7) On the basis of what qualifications has the data controller appointed the DPO (e.g. education, experience, knowledge)?
8) What necessary resources referred to in art. 38 sec. 2 of Regulation 2016/679, the data controller provides to the DPO?
9) How does the data controller provide resources to maintain the expertise of the DPO?
10) What is the position of the DPO and to whom does it report in the organizational structure of the data controller?
11) Has the data controller appointed a deputy DPO, and if so, when?
12) Does the data controller have a DPO team or other form of ongoing support for the DPO in the performance of its tasks?
13) How does the data controller ensure that the DPO is properly and promptly involved in all matters relating to the protection of personal data (e.g. have rules been developed on what matters are to be consulted with the DPO, who and in what situations should report for consultations with DPO, whether and on what terms the DPO participates in management meetings)?
14) How does the data controller provide the DPO with access to personal data and processing operations?
15) Has the data controller adopted any internal regulations regarding the functioning of the DPO (in particular to ensure that the guarantees of its independence and its rights to access personal data and processing operations are respected, to be involved in all matters related to the protection of personal data, to avoid conflicts of interest), and if so, in what internal act were they provided for?
16) How does the data controller ensure that the DPO is not instructed on the performance of the DPO’s tasks?
17) How does the data controller ensure that DPO is not punished and recalled for performing its tasks?
18) How does the data controller proceed in the event that it does not take into account the indications or recommendations of the DPO, e.g. does it document the reasons for not applying these guidelines?
19) How can data subjects contact the data protection officer pursuant to Art. 38 sec. 4 of the Regulation 2016/679?
20) Whether the data protection officer also performs other duties or performs a function other than the duties related to the protection of personal data, if so:
a) what tasks does the DPO perform, how much time these activities take; are there any tasks of DPO related to its function?
b) how did the data controller assess that each of these tasks did not have a conflict of interest as referred to in Art. 38 (6) of Regulation 2016/679?
c) Does the DPO report to persons other than the top management of the data controller in the performance of other tasks?
21) Has the data controller developed a conflict of interest management policy or introduced any other mechanism to ensure the absence of a conflict of interest?
22) Does the DPO perform its tasks only at the data controller’s seat, and if not, where and how is the DPO’s permanent availability for the management and employees of the data controller ensured?
23) Has the DPO developed (systematically develops) a work plan, e.g. in the field of training, audits?
24) Was such a plan presented to the data controller in order to enable an assessment of whether the DPO has sufficient resources and powers in the areas covered by the DPO’s tasks?
25) How often and how does the DPO provide the data controller with the results of the conducted audits?
26) Did the data controller ask the DPO for recommendations regarding the DPIA (data protection impact assessments), and if so, in what situations?
27) Does the data controller review the data protection officer’s work, and if so, how?
KIELTYKA GLADKOWSKI KG LEGAL assists on current basis in preparing the proper and compliant policy and GDPR documents in corporations and provides comprehensive assistance in all regulatory procedures and proceedings before the data protection authorities in Poland.