DATA PROTECTION AUTHORITY IN POLAND

Similar documents
THE CROATIAN PARLIAMENT

ARTICLE 29 DATA PROTECTION WORKING PARTY

(a) national Authority

Adopted by the State Duma on September 22, 1999

REPUBLIC OF LITHUANIA LAW ON PUBLIC ADMINISTRATION. 17 June 1999 No VIII-1234 Vilnius. (As last amended on 3 June 2014 No XII-903)

General Personal Data Protection Policy

ARTICLE 29 Data Protection Working Party

INFORMATION TO BE GIVEN 2

CNPD Training: Data Protection Basics

REPUBLIC OF ALBANIA THE ASSEMBLY LAW. No. 154/2014 ORGANIZATION AND FUNCTIONING OF STATE SUPREME AUDIT INSTITUTION

We reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make.

b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

Act on the Government Offices of Iceland 1)

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

TERMS OF REFERENCE FOR THE ESTABLISHMENT OF THE INFORMATION AND COMMUNICATIONS TECHNOLOGY B-BBEE SECTOR CHARTER COUNCIL

Adopted by the State Duma on September 22, Chapter I. General Provisions

DATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017

This document is meant purely as a documentation tool and the institutions do not assume any liability for its contents

European Data Protection Supervisor (Controleur europeen de la protection des donnees)

REPUBLIC OF L I T H U A N I A LAW ON THE ADJUSTMENT OF PUBLIC AND PRIVATE INTERESTS IN THE PUBLIC SERVICE

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

closer look at Definitions The General Data Protection Regulation

THE LEGAL CONVERGENCE CRITERION AND THE CZECH REPUBLIC

CANNABIGOLD.PL ONLINE STORE TERMS AND CONDITIONS of 25 May 2018

Co.Co.A. Constitutional Rights of Local Government. Lithuania. Prepared by: Vitalija Tamavičiūt

KAZAKHSTAN COMMENT OF THE WORKING GROUP ON THE REDISTRIBUTION OF POWERS ON THE DRAFT AMENDMENTS TO THE CONSTITUTION OF THE REPUBLIC OF KAZAKHSTAN

Comparative Table of the Legislation of Certain States Governing NGO Activities

GDPR: What Every MSP Needs to Know

DRAFT CONSTITUTIONAL LAW ON AMENDMENTS TO THE CONSTITUTION OF GEORGIA *

ARTICLE 29 DATA PROTECTION WORKING PARTY

ACT ON THE STATE ADMINISTRATION SYSTEM ZAKON O SUSTAVU DRŽAVNE UPRAVE

STATE CHILD RIGHTS PROTECTION AND ADOPTION SERVICE UNDER THE MINISTRY OF SOCIAL SECURITY AND LABOR REGULATIONS I. GENERAL PROVISIONS

Global Forum on Competition

ARTICLE 29 Data Protection Working Party

GENERAL TERMS AND CONDITIONS FOR THE PROVISION OF CUSTOMS BROKERAGE SERVICES

TEXTS ADOPTED. having regard to the Treaties, and in particular to Articles 2, 3, 4 and 6 of the Treaty on European Union (TEU),

A guide to GDPR the effect on all UK organisations

EU Institutions: An overview. Prof Antonino Alì, Elements of EU Law MEIS, School of International Studies, Trento, a.a. 2016/2017

the concept design of the reconstruction and modernization of the recording studios and control room

POLICY ON CONSULTATIONS IN THE FIELD OF SUPERVISION AND ENFORCEMENT. 1. Aim of this paper

Salesforce s Processor Binding Corporate Rules. for the. Processing of Personal Data

CONSTITUTION OF THE REPUBLIC OF FIJI

SIGMA Support for Improvement in Governance and Management A joint initiative of the OECD and the European Union, principally financed by the EU

THE CROATIAN PARLIAMENT

EU GENERAL DATA PROTECTION REGULATION

The Revised DPA: What To Expect

REPORT UNDER THE OMBUDSMAN ACT CASE RED RIVER PLANNING DISTRICT REPORT ISSUED ON MARCH 22, 2016

GDPR Webinar 1: Overview of Preparing for the GDPR. T-Minus 441 Days (March 9, 2017) Presenter: Peter Blenkinsop.

AUSTRALIA: New South Wales: Privacy Commissioner

The Statutes of the Gunter Grass Society of Gdansk

SIA Energokomplekss Registration No , registered office: 12 Krustpils Street, Riga, LV-1073 Revision No. 1

On the basis of Article 88, item 2 of the Constitution of the Republic of Montenegro, I am passing the D E C R E E

GUIDE SERIES. An introduction to public law

Presenting a live 90-minute webinar with interactive Q&A. Today s faculty features:

Data Protection (internal) Audit prior to May (In preparation for that date)

Preparing for the GDPR

Structural Assistance Act

The EESC secretariat employs approximately 700 staff and manages a budget of around EUR 135 million.

Template Vacancy Notice

General Data Privacy Regulation: It s Coming Are You Ready?

Trinity is committed to protecting the privacy and security of personal data.

GDPR for whom it may concern

BRIEF ANALYSIS AND COMMENTS

Independence and powers of independent supervisory authorities

STATUTE OF THE BULGARIAN ASSOCIATION OF THE METALLURGICAL INDUSTRY

A summary of the implications of the General Data Protection Regulations (GDPR)

TEXTS ADOPTED PART II. United in diversity. at the sitting of. Wednesday 5 May 2010 EUROPEAN PARLIAMENT

CHINA EASTERN AIRLINES CORPORATION LIMITED

Brussels, 7 May 2009 (Case ) 1. Procedure

Whitepaper. What are the changes regarding data protection. in the future. General Data Protection Regulation? eprivacy GmbH, Hamburg, April 2017

THE INVOLVMENT OF THE PEOPLE S ADVOCATE IN THE CONSTITUTIONAL CONTROL AN EFFICIENT MEAN TO PROTECT HUMAN RIGHTS

SCHOOL COUNCIL LEGAL FRAMEWORK POLICY

(Legislative acts) DIRECTIVES

VACANCY NOTICE FOR THE POST OF PROJECT OFFICER CONSUMERS. (Ref.: EAHC/CA/IV/2011/001) THE EXECUTIVE AGENCY FOR HEALTH AND CONSUMERS

L A W on Decisional Transparency in Public Administration

Ernst & Young Data Protection Binding Corporate Rules Programme

Data Protection Policy. UK Policy May 2018

Executive Director Decision

ILLINOIS PERSONNEL RECORD REVIEW ACT

INTERNATIONAL COUNCIL SUPPORTING FAIR TRIAL AND HUMAN RIGHTS

L 360/64 Official Journal of the European Union

SAFECAP PRIVACY POLICY STATEMENT

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

ROCHE SERVICES (EUROPE) LTD. DATA PRIVACY NOTICE FOR CANDIDATES

GOVERNMENT OF THE REPUBLIC OF CROATIA

PUBLIC COUNCILOF THEEUROPEANUNION. Brusels,11March /14. InterinstitutionalFile: 2012/0011(COD) LIMITE

Vacancy for a post of Data Protection Officer (Temporary Agent, AD 5) in the European Asylum Support Office (EASO) REF.

Privacy Notice For Our Service Providers/Suppliers

The draft Opinion was sent to the DPO for comments on 24 November These were received on 16 January 2012.

JOINT OPINION ON THE LAW ON THE PROTECTOR OF HUMAN RIGHTS AND FREEDOMS OF MONTENEGRO

What is GDPR including those with no physical presence in the EU May 25th, 2018

Addendum to the Central Bank of Ireland Fitness and Probity Individual Questionnaire

China Southern Airlines Company Limited Terms of Reference of Audit and Risk Management Committee

basic corporate documents, in particular the company s articles of association; The principle is applied.

INFORMATION TO BE GIVEN 2

COMMISSION OF THE EUROPEAN COMMUNITIES. Amended proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

REPEAL OF THE DISCIPLINARY RULES MADE UNDER THE PUBLIC ACCOUNTANTS' AND AUDITORS' ACT, 80 OF 1991 AND ADOPTION OF

Committee Opinion May 6, 2008 CITY ATTORNEY PROVIDES LEGAL SERVICES TO MULTIPLE CONSTITUENTS WITHIN AN ORGANIZATION.

University for the Creative Arts Application Declaration. Data Protection Privacy Notice

The Society of St Stephen s House Site Security and Monitoring Privacy Notice

Transcription:

DATA PROTECTION AUTHORITY IN POLAND Urszula Góral The Cardinal Wyszyński University in Warsaw Bureau of the Inspector General for Persona Data Protection, Poland Generalny Inspektor Ochrony Danych Osobowych ul. Stawki 2, 00-193 Warszawa kancelaria@giodo.gov.pl

CONTENT Legal basis of data protection in Poland Basic principles of data protection Data Protection Authority

M. Narojek for GIODO 2011

CONSTITUTION OF THE REPUBLIC OF POLAND (art. 47) Everyone shall have the right to legal protection of his private life and family life, of his honour and good reputation and to make decisions about his personal life.

CONSTITUTION OF THE REPUBLIC OF POLAND (art. 51) No one may be obliged, except on the basis of statute, to disclose information concerning his person. Public authorities shall not acquire, collect or make accessible information on citizens other than that which is necessary in a democratic state ruled by law. Everyone shall have a right of access to official documents and data collections concerning him. Limitations upon such rights may be established by statute. Everyone shall have the right to demand the correction or deletion of untrue or incomplete information, or information acquired by means contrary to statute. Principles and procedures for collection of and access to information shall be specified by statute

POLISH DATA PROTECTION LEGISLATION The Act on Personal Data Protection passed on 29 August 1997, entered into force on 30 April 1998 Several law enforcement provisions (Regulations)

DATA PROTECTION AUTHORITY POSSIBLE MODELS One person or commission One or more in the country Public or private sector Only data protection or other issues

VARIOUS ROLES OF DPAs Ombudsmen Auditors Consultants Educators Policy Advisers Negotiators Enforcers Seven roles of DPAs: C.Bennett, Ch. D. Raab, The Governance of Privacy: Policy Instruments in Global Perspective, Ashgate, 2003, pp. 107-116.

THE ROLES OF DATA PROTECTION AUTHORITY Ombudsman vs. Regulator Enforcer Auditor Educator consultant Negotiator Policy advisor International ambassador Reactive vs. Pro-active

PRIVACY ENFORCEMENT AUTHORITY??? A better term? Data Privacy Agency (DPA) or Privacy enforcement authority (PEA) Lee Bygrave proposes to change of terminology from Data Protection Authority (in 2002) to Data Privacy Agency (in 2014). The OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy (2007) uses the term privacy enforcement authority (PEA), which means any public body, as determined by each Member country, that is responsible for enforcing Laws Protecting Privacy, and that has powers to conduct investigations or pursue enforcement proceedings. The APEC Cooperation Arrangement Cross-border Privacy Enforcement (2010)17 and the OECD Global Privacy Enforcement Network (GPEN) use the same term. During the first PHAEDRA workshop, Blair Stewart put that this definition is similar to the narrower enforcement oriented definition of supervisory authority in [...] [Convention 108] and [Directive] 95/46/EC, and that [i]n addition to specialist privacy Strasbourg, June 5th, 2014 authorities, a PEA may include a general enforcer of, say, consumer or

POLISH DATA PROTECTION AUTHORITY Inspector General for Personal Data Protection (GIODO) Single independent body established in 1998 Assisted by the Bureau of the Inspector General for Personal Data Protection Appointed and dismissed by the Parliament 4 years term of office (renewable) Guaranties of independence provided for by law

GIODO AS AN INDEPENDENT SUPERVISORY AUTHORITY Independence of the Inspector General for Personal Data Protection shall be guaranteed by: provisions of the Act of 29 August 1997 on the Protection of Personal Data - formal declaration of GIODO s independence Art. 8 para. 4 specific provisions, e.g. GIODO s budget Act of 27 August 2009 on Public Finance

TYPES OF GIODO S INDEPENDENCE I. FORMAL a) GIODO s appointment mode regulated by the provisions of law Art. 8 para. 2-4 of the Act on Personal Data Protection s/he is appointed by the Sejm (lower chamber of the Polish Parliament) with the consent of the Senate s/he is Polish citizen permanently residing in Poland s/he is known for outstanding moral principles s/he has a degree in law and a proper professional experience s/he has no criminal record with regard to the performance of the duties he/she shall be solely subject to the Act the term of office 4 years (not more than two terms)

TYPES OF GIODO S INDEPENDENCE I. FORMAL cont. b) specified reasons for expiry of term of office and dismissal of GIODO dismissal before his/her term of office has expired: his/her resignation becoming permanently unable to perform his/her duties due to an illness violating his/her oath being sentenced pursuant to a valid court judgment for committing a crime Sejm with the consent of the Senate Art. 8 para. 8 of the Act on Personal Data Protection expiry of term of office: dismissal death loss of the Polish citizenship Art. 8 para. 7 of the Act on Personal Data Protection

TYPES OF GIODO S INDEPENDENCE II. a) POLITICAL Immunity criminal liability (only with the consent of the Sejm) deprivation of freedom (only with the consent of the Sejm) s/he may not be detained nor arrested (only in case of flagrante delicto and if his/her detention is necessary to secure the due course of proceedings ) obligation to notify the Speaker of the Sejm Art. 11 of the Act on Personal Data Protection b) Prohibitions and restrictions prohibition to hold another position prohibition to perform any other professional duties prohibition to be a member of any political party or any trade union prohibition to be involved in any public activity which cannot be combined with the honor of the Inspector General's post Art. 10 of the Act on Personal Data Protection

TYPES OF GIODO S INDEPENDENCE III. BUDGETARY AUTONOMY Independence Preparation of a plan of income and expenses for the next fiscal year Art. 139 para. 2 of the Act on Public Finance Inclusion of this plan in the draft budgetary act for the next year without prior agreeing theron Minister of Finance Changes Members of Parliament in the course of the procedure of passing the budgetary act

GIODO AS AN INDEPENDENT SUPERVISORY AUTHORITY Consequence of GIODO s independence: it is not in any way subordinate (in organisational or administrative terms) to other authorities or entities; it is not bound by resolutions, guidelines, standpoints or decisions of other authorities; it is autonomous in resolving the cased considered by it; in administrative proceedings it is reflected in the fact that any party not satisfied with the Inspector General s decision may exclusively as a remedy - apply to the Inspector General for reconsidering the case, and then appeal against the decision to the administrative court. (Art. 21 of the Act on Personal Data Protection).

POLISH DATA PROTECTION AUTHORITY (DUTIES) 1. Supervision over personal data processing (both public and private sector) 2. Issuing Administrative Decisions 3. Considering complaints 4. Keeping the register of data filing systems 5. Keeping the register of DPO s 6. Issuing opinions on bills and regulations 7. Activities to improve data protection 8. International co-operation

THE STATISTICS: ENQUIRIES CONCERNING THE INTERPRETATION OF THE ACT Year 2011 2012 2013 2014 2015 Number of 3935 4258 4911 4575 3962 enquiries sent to DPA

THE STATISTICS: COMPLAINTS Year 2011 2012 2013 2014 2015 Number of 1272 1593 1879 2472 2256 complaints

THE STATISTICS: INSPECTIONS Year 2011 Number of 199 2012 2013 2014 2015 165 173 175 175 inspections

THE STATISTICS: DATA FILING SYSTEMS NOTIFIED TO REGISTRATION Year 2011 Number of 15643 2012 2013 2014 2015 21580 28264 43300 31501 16267 16866 16870 10737 files notified to registration Number of files registered 11845

ORGANISATIONAL STRUCTURE

JURISDICTION, LEGISLATION AND COMPLAINTS DEPARTMENT replying to questions related to the provisions on personal data protection, preparing draft addresses of the Inspector General to public and private sector entities regarding the compliance with the provisions on personal data protection, drawing up positions on doctrine and legislation of the Supreme Court, general and administrative courts, Constitutional Tribunal in cases related to personal data protection,

JURISDICTION, LEGISLATION AND COMPLAINTS DEPARTMENT accepting and handling complaints and requests concerning realisation of the Act on Personal Data Protection issuing opinions on bills and regulations with respect to the protection of personal data, participating in the work of the Government, Parliament in connection with handling draft legal acts referred, drawing up draft notifications of commission of crime and requests for initiating

SOCIAL EDUCATION AND INTERNATIONAL COOPERATION DEPARTMENT promoting knowledge on personal data protection, organising training courses, conferences and seminars, handling requests for transfer of personal data to third countries, contact with government authorities, NGOs and other institutions in order to exchange experience as regards personal data protection and the right to privacy, organising international cooperation (international cooperation programme, international visits, conferences, special focus on EU cooperation), publishing materials promoting the knowledge on personal data protection and other publications.

INSPECTION DEPARTMENT conducting supervision over ensuring the compliance of data processing with the provisions on the protection of personal data, requesting the Inspector General for authorisation to conduct inspections, instituting and conducting administrative proceedings as a result of irregularities found in the course of the inspection, drawing up draft decisions, provisions and other letters of the Inspector General issued as a result of the inspections conducted, requesting, on the basis of the findings from the inspection, appropriate proceedings to be instituted against persons responsible for the irregularities which occurred, drawing up draft notifications of commission of crime and requests for initiating disciplinary proceeding or other proceedings provided for by the law.

PERSONAL DATA FILING SYSTEMS REGISTRATION DEPARTMENT keeping a national, open register of personal data filing systems, performing tasks connected with the provision of information on the filing systems registered (certificates), keeping the register of Data Protection Officers.

IT DEPARTMENT analysis and opinions regarding the draft legislation concernig new technologies, analysis within the privacy impact assesement, providing ad hoc assistance as regards the use of computer hardware and software (help desk), performing tasks related to the security of the computer systems.

SUPERVISION OVER PERSONAL DATA PROCESSING both public and private sector service identity card inspection team one lawyer and one IT expert authorization containing in particular the scope of the inspection and its time controller subject to the inspection is obliged to enable the inspector to perform the inspection

EMPOWERMENTS OF THE INSPECTORS Art. 14 1) enter, from 6 a.m. to 10 p.m., upon presentation of a document of personal authorization and service identity card, any premises where the data filing systems are being kept and premises where data are processed outside from the data filing system, and to perform necessary examination or other inspection activities to assess the compliance of the data processing activities with the Act, 2) demand written or oral explanations, and to summon and question any person within the scope necessary to determine the facts of the case, 3) consult any documents and data directly related to the subject of the inspection, and to make a copy of these documents, 4) perform inspection of any devices, data carriers, and computer systems used for data processing, 5) commission expertise and opinions to be prepared.

VARIOUS MODELS OF INSPECTIONS Inspection ex officio Inspection at the request Complex inspection Sectoral inspection Partial inspection

INSPECTION FOLLOW UP signalisation to GIODO correspondence with GIODO in case of lack of failures or their erasure before the proceeding is commenced. administrative proceeding ending with a decision (for instance ordering additional security measures, tehnical and organisational security measures) motion for reexamination of the case judical redress (non so far)

OFFICIAL REPORT OF THE INSPECTION - PROTOCOL the inspector who carries out the inspection shall prepare the official report of the inspection, one copy of such an official report shall be delivered to the controller subject to the inspection, protocol shall comprise the following information: - names of the entity and inspector, - specification of the subject and the scope of the inspection, - description of the factual state discovered in the course of the inspection and other information having a significant impact on the assessment of compliance of personal data processing with data protection provisions,

THE INSPECTOR GENERAL POWERS In case of any breach of the provisions on personal data protection, the Inspector General shall order to restore the proper legal state, and in particular: to remedy the negligence, to complete, update, correct, disclose, or not to disclose personal data, to apply additional measures protecting the collected personal data, to suspend the flow of personal data to a third country, to safeguard the data or to transfer them to other subjects, to erase the personal data.

E-GIODO ELECTRONIC PLATFORM FOR COMMUNICATION WITH THE INSPECTOR GENERAL E-GIODO is composed of: Computer software facilitating the completion of the form notifying data files for registration by the Inspector General for Personal Data Protection (GIODO), On-line form for reporting the appointment of the DPO, a Web version of the national registers of personal data filing systems and DPO s, allowing to search for registered data files or DPO s through a variety of criteria such as the name of the file and the name, or the seat of data controller.

AMENDMENTS OF THE DATA PROTECTION LAW INTRODUCED IN 2015 new status of the Data Protection Officer new rules for data filing systems registration new competences of the Inspector General new tools for supervision of data processing (checks conducted by DPO)

NEW STATUS OF THE DATA PROTECTION OFFICER appointment of DPO is a right not an obligation of the data controller relevant knowledge of DPO (assessed by the data controller, no certificates needed) notification of appointment of DPO to registration to the Inspector General

DATA PROTECTION OFFICER TASKS checking compliance of personal data processing with the provisions on the protection of personal data and drawing up a report in this regard for the controller, supervising development and update of the documentation describing the way of data processing and technical and organizational measures to protect the personal data being processed, appropriate to the risks and category of data being protected, as well as supervising compliance with the principles specified in this documentation, ensuring that the persons authorized to the processing of personal data become acquainted with the provisions on the protection of personal data, keeping a register of data files processed by the controller.

NEW RULES FOR DATA FILING SYSTEMS REGISTRATION DPO appointed: data filing systems containing sensitive data - obligation to notify filing register system before the processing starts, no sensitive data no notification obligation, DPO keeps registers of all data filing systems kept by data controller, data filing systems in paper form no obligation to notify (unless these data filing systems contain sensitive data).

NEW COMPETENCES OF THE INSPECTOR GENERAL Keeping the open register of the DPO s Requesting DPO for checking compliance of personal data processing with the provisions on the protection of personal data The fact that the administrator of information security has carried out a check does not exclude the Inspector General s right to carry out a supervision After carrying out the check the administrator of information security submits to the Inspector General a report

DPA S FUTURE UNDER GDPR stronger DPA s: - administrative fines (for infringements of the GDPR) - consistency mechanism increased responsibility and accountability for controllers: - data protection risk assessments, - data protection officers, - the principles of data protection by design and data protection by default.

THANK YOU FOR YOUR ATTENTION! desiwm@giodo.gov.pl http://edugiodo.giodo.gov.pl

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback