On November 24, 2014, the Polish President Bronisław Komorowski signed into law a bill that was passed by Polish Parliament on November 7, 2014, which amends, among other laws, certain provisions of the Personal Data Protection Act 1997. As a result of the amendments, data controllers will be able to transfer personal data to jurisdictions that do not provide an “adequate level” of data protection without obtaining the prior approval of the Polish Data Protection Authority (Generalny Inspektor Ochrony Danych Osbowych or “GIODO”), provided that they meet certain requirements specified under the bill. In addition, the bill amends Polish law so that it is no longer mandatory to appoint an administrator of information security (administrator bezpieczeństwa informacji or “ABI”). An ABI is similar to a data protection officer but an ABI has narrower responsibilities that predominantly concern data security.
Currently, Poland is one of the EU Member States that requires obtaining the (1) prior written consent of every data subject or (2) prior consent of the GIODO to transfer personal data to third countries that do not provide an “adequate level” of data protection. As a result of the recent amendments, data controllers will be able to transfer personal data to third countries that do not provide an “adequate level” of data protection without the GIODO’s prior approval if they (1) execute standard contractual clauses approved by the European Commission, or (2) have implemented Binding Corporate Rules approved by the GIODO.
Under the new regime, the appointment of an ABI will be optional. The bill does impose duties on ABIs so if a data controller does not appoint an ABI, the data controller itself will have to assume the newly created duties (except the duty to prepare a report for a data controller). If the data controller appoints an ABI, the appointment and removal of the ABI must be registered with the GIODO within 30 days of the appointment or removal. The amendments also specify the role of an ABI and qualifications that an ABI must have, including a university education and sufficient knowledge of the provisions of the data protection law. Also, if the data controller appoints an ABI and notifies the GIODO of the appointment, the data controller will be released from the obligation to register its data filing system, unless it processes sensitive data.
The law becomes effective on January 1, 2015.