Poland Publishes New Draft Data Protection Acts “Implementing” the GDPR

The Polish government recently published a package of draft data protection laws designed to “implement” the GDPR into Polish law. With amendments to more than 130 existing legislations, this reform is one of the largest in the country in years, and will bring changes across the entire Polish data protection landscape.

The reform is composed of a draft Personal Data Protection Act (PDPA Draft), containing provisions for the overall implementation of the GDPR, and draft provisions amending numerous sector legislations (Amending Act Draft), to align them with the GDPR.


PDPA Draft

The PDPA Draft is intended to replace the current Polish Data Protection Act and sets out all administrative, procedural, and other general details designed to “implement” the GDPR. Some of its main provisions include:

  • Reshape of the Polish Data Protection authority: The Bureau of the Inspector General for the Protection of Personal Data (GIODO) will be replaced by the new “Office for Personal Data Protection,” which will be chaired by a President. It will be supported in its tasks by the “Council for the Protection of Personal Data,” which will act as a consultation and advisory body.
  • New procedures for investigations and proceedings for infringement.
  • Introduction of rules for civil liability.
  • New criminal sanctions for anyone that impedes or obstructs an investigation regarding compliance with data protection laws, or processes sensitive personal data without a legal basis.
  • New accreditation and certification mechanisms.
  • Reduction of the age of consent for children using information society services to 13 years old.
  • Transitory period for appointment of DPOs: data protection officers appointed under the current Polish Data Protection Act (Administrator Bezpieczeństwa Informacji) will act as acting DPOs from 25 May 2018 until 1 September 2018. After that, each organization will have to notify to the POPDP either that a “GDPR DPO” has been appointed, or that the acting DPO does not have a “GDPR DPO” function.


Amending Act Draft

The Amending Act Draft covers a vast range of activities and sectors, including, for example, employment, banking, e-services, telecoms sectors. Some of the most interesting changes include:

  • Employment Law: Clarifying existing doubts on this issue, the Labour Law Code will now explicitly list the categories of personal data that employers are required to collect about their job candidates/employees. It will also allow employers to rely on the employee’s consent to collect additional data (including biometric data), but only if it relates to the employment relationship. Information about employee’s addictions, health, or sexual life or orientation cannot, however, be processed, even with the employee’s consent. The draft also contains additional provisions regarding processing operations required to comply with legal obligations, and regarding the monitoring of employees. 
  • Banking Law: the draft explicitly allows the automated processing of personal data, including profiling, by banks and other credit institutions for the purposes of evaluating creditworthiness and conducting credit risk assessments, as well as for statistical analysis.

These draft acts have been welcomed by Polish data protection experts, as they not only provide more predictability for organisations preparing for the coming into effect of the GDPR, but also clarify many grey areas of the current Polish data protection framework. The drafts are now open for consultation, which will run until 13 October.

The official text of the draft legislations can be found here (only available in Polish).


How OneTrust Helps

OneTrust provides privacy management tools with templates and questionnaires which can help organisations comply with privacy obligations around the world, including GDPR, and questionnaires can be tailored by country, to tackle any specific requirement applicable to any given country.