Notification obligations under Polish data protection law

Data processing notification obligation

The controller of personal data (administrator danych osobowych) is obliged to register the data filing system(s) into the Inspector General’s register. The notification should be made before the first processing of personal data. However, in case of sensitive data, their processing is allowed only after the registration of the filing system (art. 46 PDPA).

  • There are some exemptions for the controller from registering the filing system(s), such as appointing a Data Protection Officer and registering him/her in the General Inspector’s database instead. This, however, does not apply for processing of sensitive data. For more information, see the Section 10.3 ‘Exceptions’ below.

It is possible to register the data filing system via an online form available at: https://egiodo.giodo.gov.pl/formular_step0.dhtml. A template can be found in the attachment to the Regulation of 2008 on the template of the filing notification for the registration by the Inspector General for the Protection of Personal Data (Rozporządzenie w sprawie wzoru zgłoszenia zbioru do rejestracji Generalnemu Inspektorowi Ochrony Danych Osobowych), which is available at: http://prawo.sejm.gov.pl/isap.nsf/download.xsp/WDU20082291536/O/D20081536.pdf. The form can also be sent by regular mail or otherwise be delivered personally at Inspector’s General Office. The notifications as well as any changes to them are free of charge.

Content of the notification

The notification should include the following information enlisted in art. 41 PDPA:

  • An application for entering the personal data filing system into the register
  • Specification of the:
    • controller and the address of its seat or place of residence (including identification number from the national official business register)
    • legal basis for maintaining the filing system
    • data processor or controller’s representative in Poland, the address of its seat or place of residence (if entrusted/appointed)
  • Purpose of the data processing
  • Description of the data subjects’ categories and the scope of the processed data
  • Information on the ways and means of data collection and disclosure
  • Information on the (categories of) recipients to whom the data may be transferred
  • The description of technical and organizational measures applied for the data security purposes
  • Information on the ways and means of fulfilling technical and organizational conditions
  • Information relating to a possible data transfer outside the European Economic Area

Exceptions

Art.43 of the Personal Data Protection Act contains a full list of the exemptions from the obligation of data filing systems’ registration. The main ones include these data filing systems:

  • which are processed exclusively for the invoice, billing or accounting purposes
  • are publicly available
  • are processed with regard to minor current everyday affairs
  • are processed in connection with the employment by the controller or providing services
  • refer to the persons availing themselves of their health care services, notarial or legal advice, patent agent, tax consultant or auditor services

Furthermore, the appointment of a data protection officer (administrator bezpieczeństwa informacji) and having notified the Inspector General about this fact also exempts controllers from the registration of their data filing systems. In such circumstances, the data protection officer keeps an internal register of data filing systems, whereas the Inspector General keeps a register of the appointed data protection officers.