DPIA list of the Polish supervisory authority

The Polish supervisory authority has published a proposal for the list of processing activities, for which a DPIA will be required. The detailed list includes, for example:

  • Evaluation or assessment, including profiling and prediction (behavioral analysis) for purposes that may have negative legal, physical, financial or other effects on a person
  • Automated decision-making that produces legal, financial or similar material results
  • Processing of special categories of personal data, concerning convictions and legal violations

The proposed list includes many activities in the employment context, for example:

  • Monitoring of working time and IT systems
  • Processing of employee biometric data
  • Employee productivity-assessment systems

The full list (in Polish) is available at: https://giodo.gov.pl/pl/file/13366.

Unofficial translation in English: https://iapp.org/media/pdf/resource_center/Mandatory-DPIA-Poland-klattorneys.pdf.

Guidelines of the supervisory authorities

Guidelines on the DPIA (in Polish) are available at:

https://uodo.gov.pl/data/filemanager_pl/706.pdf and

https://www.uodo.gov.pl/data/filemanager_pl/707.pdf.

Prior consultation

The request form (in Polish) for prior consultation (Art. 36 GDPR) may be found at: https://www.uodo.gov.pl/pl/127/219.