Data protection supervision according to Polish law

The EU Data Protection Directive 95/46/EC provided for the establishment of National Supervisory Authorities, whose task would be monitoring the compliance with the provisions on data protection. In Poland, such a supervisory authority is the Inspector General for Personal Data Protection (Generalny Inspektor Ochrony Danych Osobowych). All the information about this organ can be found in Chapter 2 of the Polish Data Protection Act.

Duties of the Inspector General

The duties of the Inspector General include:

  • supervision over ensuring the compliance of data processing with the law
  • issuing administrative decisions
    • according to art. 18 PDPA in cases when the Inspector General finds a breach of data protection provisions, it may order to:
      • remedy the negligence
      • complete, update, correct, disclose, or not to disclose personal data
      • apply additional measures protecting the collected personal data
      • suspend the flow of personal data to a third country
      • safeguard the data or to transfer them to other subjects
      • erase the personal data
    • considering complaints
      • they may be sent either by the regular post or email. The requirements of 63§2 of the Code of Administrative Procedure must be included, namely the indication of at least:
        • sender’s name and surname
        • sender’s address
        • the subject matter of the case
      • maintaining the national register of data filing systems and the registry of data protection officers (administratorzy bezpieczeństwa informacji, literally ‘administrators of information security’)
      • providing information on the registered data files and the registered data protection officers
      • enforcement proceedings
      • issuing opinions on bills and regulations in the field of data protection
      • initiating and undertaking activities to improve the data protection
      • participating in the work of international organizations and institutions in the field of data protection

The Inspector General performs its duties together with the Bureau of the Inspector General for Personal Data Protection (Biuro Generalnego Inspektora Ochrony Danych Osobowych).

Contact details

The Inspector General for the Protection of Personal Data                                          (Generalny Inspektor Ochrony Danych Osobowych)
ul. Stawki 2
00-193 Warsaw
Poland

Inspections

The Inspector General and the authorized by him employees of the Bureau (thereinafter ‘the inspectors’) have a competence to conduct inspections. These checkups aim not only at ensuring the legal compliance of data processing, but also at issuing administrative decisions and considering complaints. The obligation to enable the performance of the inspection lies with the head of the unit and the data controller.

The inspectors can:

  1. enter any premises:
    • where the data filing systems are being kept
    • where data are processed outside from the data filing system
      • the inspectors can enter the premises between 6a.m.-10p.m. upon presentation of a document of personal authorization and service identity card
  2. demand explanations, summon and question any person in order to establish the facts
  3. consult any documents and data directly related to the subject of the inspection, and to make a copy of these documents
  4.  inspect any devices, data carriers, and computer systems that are used for the processing of data
  5. commission the preparation of expertise and opinions

Prior to conducting the inspection, a personal authorization along with a service identity card should be presented.

  • the personal authorization shall comprise the following information:
    • legal basis for the inspection
    • specification of the inspecting authority
    • name, surname, position and the number of service identity card of the person authorized to conduct inspections
    • specification of the material scope of the inspection
    • specification of the controlled entity, data filing system or premises
    • specification of the date of commencement of the inspection and the estimated date of its end
    • signature of the Inspector General
    • notice informing the controlled entity of its rights and obligations
    • date and place of issue

After the inspection, an official report must be prepared by the inspector that carried it out. A copy of such a report is to be delivered to the controller that has been subject to that inspection (art. 16(1) PDPA). The content requirements for the inspection report are specified in the art. 16 of the Polish Personal Data Protection Act.