Data protection officer according to Polish law

The data controller may – or may not – appoint a data protection officer (administrator bezpieczeństwa informacji, literally ‘administrator of information security’), that will report directly to him or alternatively, to the head of an organizational unit. The data protection officer must be a natural person that has: (1) a full capacity to perform legal acts and enjoys full civil rights, (2) relevant knowledge of personal data protection and (3) not been punished for an intentional offence. The controller must ensure the means and organizational autonomy of the data protection officer, which are necessary for performing his/her tasks. In case the controller decides not to appoint such a person, the obligation to check the legal compliance of personal data processing should be performed by him/herself.

The controllers that have appointed data protection officers (and have notified the Inspector General about this fact) do not need to register their data filing systems.

Tasks of the data protection officer

The main tasks for the data protection officer include:

  1. keeping a register of data files processed by the controller
    • except for the data files containing:
      • classified information, or
      • the name of a file and information referred to in art. 41(1) points 2-4a and 7
  1. ensuring compliance with the data protection laws, especially by:
    • checking legal compliance of personal data processing and preparing a report in this regard for the controller
    • supervising development and update of the documentation describing the way of data processing and measures
    • supervising compliance with the principles specified in the documentation
    • ensuring that the persons authorized for data processing become acquainted with the relevant data protection provisions

Content of the report

The report that is prepared by the data protection officer concerning the compliance of personal data processing must contain the information enlisted in art. 36c of the Personal Data Protection Act, namely:

  • specification of the controller and the address of its seat or place of residence
  • name and surname of the data protection officer
  • list of the activities undertaken by the data protection officer during the check; names, surnames and positions of other persons taking part in these activities
  • start and end date of the check
  • subject and scope of the check
  • description of the factual state discovered during the check and other information, that is relevant for the assessment of legal compliance of data processing
  • personal data protection law breaches along with planned or undertaken activities aiming at the restoration of the proper legal state
  • specification of appendixes constituting a part of the report
  • data protection officer’s signature
    • if the report is in paper, it is necessary to additionally include the data protection officer’s initials on every page of the report
  • Date and place of signing the report

 

According to the Inspector’s General commentary, the report should be prepared in a detailed and comprehensive manner. Since it should describe the factual state during the inspection, it is crucial to outline all the elements of the inspection not only in the most accurate way, but also to back the findings with relevant evidence. Furthermore, it must specify how the personal data are processed and provide any other information that is relevant for the assessment of legal compliance of the processing. If any data breaches have occurred, these must also be included in the report, as well as any planned or already undertaken actions restoring the state to be compliant with the data protection laws. The report should also specify any annexes or other attachments that constitute its component part. Moreover, it should indicate the controller’s legal status by attaching relevant evidence (e.g. copies or excerpts from registers). The Inspector’s General commentary and the exemplary report are available (in Polish) at: https://abi.giodo.gov.pl/sprawdzenia-dla-giodo/abc-sprawdzenia/sprawozdanie.

Data protection officer’s appointment and dismissal

The controller is obliged to notify the Inspector General for Personal Data Protection (Generalny Inspektor Ochrony Danych Osobowych) about appointing and dismissing a data protection officer within 30 days from doing so. It is possible for the Inspector General to issue a certificate on the registration of the data protection officer upon the controller’s or the officer’s request.

The data protection officer’s appointment notification must contain the following information:

  • Specification of the controller and the address of its seat or place of residence, including identification number from the national official business register (numer identyfikacyjny rejestru podmiotów gospodarki narodowej) (if it was granted)
  • Data of the data protection officer:
    • Name and surname
    • PESEL number if granted, otherwise name and number of document stating identity
    • Address of correspondence, if different than controller’s address of his seat
  • Date of appointment
  • Controller’s statement on fulfilling the qualification requirements (full capacity to perform legal acts and enjoyment of full civil rights, relevant knowledge of data protection, not being punished for an intentional offence) as well as reporting directly to the head of an organizational unit to the controller

The data protection officer’s dismissal notification must contain the following information:

  • Specification of the controller and the address of its seat or place of residence, including identification number from the national official business register (if granted)
  • Data of the data protection officer:
    • Name and surname
    • PESEL number if granted, otherwise name and number of document stating identity
  • Date of and reason for dismissal

It must be noted, that the controller is obliged to notify the Inspector General of any changes to the abovementioned information within 14 days from that change.