For controllers
Designation and communication of DPO
The only correct and effective manner of notifying about designation/change of data/dismissal of the DPO [ ... ]
The only correct and effective manner of notifying about designation/change of data/dismissal of the DPO is a notification in electronic form, affixed with a qualified electronic signature or a signature confirmed by a trusted ePUAP profile (according to Art. 10(6) of the Act of 10 May 2018 on the Protection of Personal Data, hereinafter: the Act).
The notification is to be sent using one of the below mentioned services of the biznes.gov.pl website (available in Polish only), i.e.:
- Designation of a new Data Protection Officer
- Change of contact data of current Data Protection Officer
- Dismissal of the so far Data Protection Officer
- Dismissal of the so far Data Protection Officer and designation of new Data Protection Officer
Notifications effectively delivered to the Personal Data Protection Office are being confirmed by the Official Submission Proof (Urzędowe Poświadczenie Przedłożenia, UPP: generated by biznes.gov.pl in the form of a UPP.xml file) and by an e-mail, automatically sent to the address provided upon creating the account.
According to Art. 11a of the Act, “the entity which has designated an officer can designate a person replacing the officer during his or her absence […]”.
The notification to the President of the Personal Data Protection Office about the designation of Deputy DPO is made in the mode laid down in the Art. 10 of the Act (Art. 11a(3) of the Act), which states that the only correct and effective manner of notifying on the designation/change of data/dismissal of Deputy DPO is filling out the relevant questionnaire:
- Designation of a new Deputy Data Protection Officer
- Change of contact data of current Deputy Data Protection Officer
- Dismissal of the so far Deputy Data Protection Officer
- Dismissal of the so far Deputy Data Protection Officer and designation of new Deputy Data Protection Officer
and sending it as an attachment in electronic form by means of a general ePUAP letter. The title of the letter shall reflect the title of the form.
Notifications effectively delivered to the Personal Data Protection Office are confirmed by the Official Submission Proof (Urzędowe Poświadczenie Przedłożenia: generated by epuap.gov.pl in the form of a UPP.xml file).
In case of technical problems with completing the notification, technical support shall be contacted:
- platform biznes.gov.pl (https://www.biznes.gov.pl/en/help-centre) kept by the Ministry of Entrepreneurship and Technology,
- ePUAP users support centre (https://epuap.gov.pl/wps/portal/strefa-klienta/pomoc - service available in Polish) in Centralny Ośrodek Informatyki (IT Centre under the Ministry of Digital Affairs).
NB: please, remember that notifications must be sent in Polish.
Art. 37 para. 1 of the General Data Protection Regulation provides for the obligation to designate [ ... ]
Art. 37 para. 1 of the General Data Protection Regulation provides for the obligation to designate a data protection officer for controllers and processors where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
- core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
In the interpretation of the notions used in Art. 37 para. 1 letters b and c of the GDPR („core activities”, „regular and systematic monitoring” and „on a large scale”) the recitals of the GDPR and Article 29 Working Party’s Guidelines on Data Protection Officers may be useful.
According to the provisions of the GDPR, the controller may request a prior consultation (Art. 36(1) [ ... ]
According to the provisions of the GDPR, the controller may request a prior consultation (Art. 36(1) of the GDPR). The Act on the Protection of Personal Data also included processor to the entities that may apply with a request to hold prior consultations (Art. 57 (1) of the Act on the Protection of Personal Data).
Then, prior to data processing, the results of the assessment should be consulted with the supervisory authority, unless the controller decides not to process the data, e.g. not to introduce a new service.
Therefore, it should be emphasized that if the conducted DPIA showed that the processing will not result in a high risk, then there is no reason to ask the authority for prior consultation. (Art. 36(1) of the GDPR).
Prior consultation is a tool for cooperation between the supervisory authority and the controller. The purpose of prior consultations is to provide the best possible safeguards for personal data processing operations by the controller in cooperation with the supervisory authority.
Revised list of operation types requiring a data protection impact assessment.
Processing activities related to offering goods or services to data subjects require a data protection impact assessment. Such obligation also exists when controllers monitor the behavior of persons in several Member States.
The Announcement of the President of the Personal Data Protection Office of 17 June 2019 on the list of personal data processing operation types requiring an assessment of the impact of the envisaged processing operations on the protection of personal data was published in the Monitor Polski (Official Gazette of the Republic of Poland on 8 July 2019.
Pursuant to Article 35(4) of the GDPR the supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment. The published list contains 12 categories of types of processing operations, together with examples of operations where there may be a high risk to the rights and freedoms and examples of potential areas covering these operations.
As a general rule, processing that meets at least two of the indicated criteria will require a data protection impact assessment. In some cases, however, a controller may consider that processing meeting only one of the listed criteria will require a data protection impact assessment. The more criteria a processing meets, the more likely is a high risk to the rights and freedoms of data subjects, and consequently, regardless of the measures that the controller foresees to apply, a data protection impact assessment will be required.
Example: A controller offers a cloud-based sports performance monitoring system that works with smart bands to record heart rate data (processing of special categories of personal data - item 4 of the list) and location data (processing of location data - item 12 of the list).
This list has been updated after taking into account the opinion issued by the European Data Protection Board and also includes processing activities related to offering goods or services to data subjects or monitoring their behavior in several Member States or which may substantially affect the free flow of personal data within the European Union.
Issuing of the Announcement of the President of the Personal Data Protection Office is based on Article 54(1)(1) of the Act on the Protection of Personal Data in conjunction with Article 35(4) and (6) of GDPR. The list is annexed to the Announcement of the President of the Personal Data Protection Office available at: http://monitorpolski.gov.pl/MP/2019/666.
Codes of conduct and certification
Data breach shall be notified (in Polish) to the competent authority - the President of [ ... ]
Data breach shall be notified (in Polish) to the competent authority - the President of the Personal Data Protection Office.
Data breach can be notified in one of the following four ways:
- electronically by sending a completed form (available below) by means of a general letter available on the platform biznes.gov.pl (How to find the Authority in the general letter form?)
- electronically by sending a completed form to the Electronic Inbox ePUAP: /UODO/SkrytkaESP
- electronically be completing a dedicated electronic form available directly on the platform biznes.gov.pl being an equivalent of the form available below.
- by sending a completed form by regular mail to the address of the Office.
In case where the breach concerns persons in various EU countries, the President of the Personal Data Protection Office can be, but does not have to be, the lead supervisory authority (i.e. the authority relevant for the controller or the processor). In case of cross-border data breach the controller shall analyse whether the lead supervisory authority with reference to processing activities covered by the breach is the President of the Personal Data Protection Office or perhaps other European supervisory authority (more: Guidelines for identifying a controller or processor’s lead supervisory authority (WP 244 rev. 01).
According to the Article 33(1) GDPR the controller shall notify a breach to the competent supervisory [ ... ]
According to the Article 33(1) GDPR the controller shall notify a breach to the competent supervisory authority without undue delay. In Republic of Poland the competent supervisory authority in matter of protection of personal data is the President of the Personal Data Protection Offfice.
In case where the breach concerns persons in various EU countries, the President of the Personal Data Protection Office can be, but does not have to be, the lead supervisory authority (i.e. the authority relevant for the controller or the processor). In case of cross-border data breach the controller shall analyse whether the lead supervisory authority with reference to processing activities covered by the breach is the President of the Personal Data Protection Office or perhaps other European supervisory authority.