25 May 2018 is the essential date for Polish entrepreneurs. Today, the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 (GDPR) and the new Personal Data Protection Act of 10 May 2018, which was prepared by the Polish government, have become effective.

The Personal Data Protection Act of 10 May 2018 is a consequence of Poland’s obligation to implement the aforementioned Regulation into the Polish legal system.

What has changed?

A new authority was set up – the President of the Personal Data Protection Office, who replaced the Inspector General for Personal Data Protection. His powers are similar to those of the President of the Office of Competition and Consumer Protection. He is appointed for a four-year term by the Sejm (lower chamber of the Polish parliament) with the consent of the Senate. Instead of one, he will be supported by as many as three deputies, and the consultative and advisory body will be the Personal Data Protection Council, appointed for a two-year term from among the candidates proposed, among others, by the Council of Ministers, foundations and associations, the Ombudsman and chambers of commerce.

Fines – the President of the Personal Data Protection Office has the authority to impose fines on public administration in the event of violations regarding personal data protection, ranging from PLN 10,000 to PLN 100,000. 

One-instance proceedings in cases of infringements of personal data protection regulations – the previous two-instance proceedings have been abolished and 30-day time limit for controls conducted by the authority has been introduced. The authority competent to conduct the control procedure is the President of the Office. An appeal may be lodged against his decision directly to the administrative court. A complaint filed by a party to the administrative court stays the enforcement of a decision regarding the administrative fine.

It is possible to receive a certificate – the President of the Office or the certifying entity, at the request of the controller, processor, producer or entity putting a service or product on the market has the right to issue a certificate in accordance with Article 42 of the GDPR, confirming the compliance of the data processing by the certified entrepreneur with the GDPR.

Who is exempt from the Act and EU Regulation?

The legislator decided to exercise the right granted under the EU Regulation to exempt certain entities therefrom.

Therefore, the GDPR and the Act will not apply to certain public finance sector entities (public authorities, including government administration bodies, state control and law enforcement bodies, courts, tribunals, budget entities, executive agencies, budget economy institutions and other state or self-government legal persons set up on the basis of separate acts to perform public tasks, except for enterprises, research institutes, banks and commercial law companies), to the extent that the processing of personal data is necessary to perform tasks aimed to ensure national security, if the necessary measures to protect the rights and freedoms of the data subject are provided.

At the same time, some of the GDPR provisions will not apply to the activity of editing, preparing, creating or publishing press materials, statements as part of literary activity, statements as part of artistic activity and academic statements.

The Personal Data Protection Act of 10 May 2018 was signed by the President of the Republic of Poland on 22 May 2018, announced in the Journal of Laws of the Republic of Poland yesterday (Dz.U. z 2018 r. poz. 1000), and has become effective today.