Poland

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

OOPS! And Other Takeaways from the First Draft of CPRA Regulations

Start Vetting Your Data Processors! Key Takeaways From

In January 2022, the President of the Personal Data Protection Office (“DPDO“) of Poland fined both a data controller and processor for their failure to implement appropriate technical and organisational measures to ensure the security of personal data. In particular, the data controller failed to exercise its GDPR right to audit and inspect

Map of Warsaw, PolandThe reorganization of the Personal Data Protection Office (UODO), which took place in December 2019, warrants an assumption that 2020 will see increased activity from the supervisory authority. The UODO’s creation of three new departments indicates that the officers intend to specialize further to boost the efficiency of personal data protection inspections, in particular data breaches. Therefore, it is worth analyzing the definition of a breach, based on the decisions issued by the President of UODO in 2019.
Continue Reading Poland: Expected Enforcement Actions in 2020 and Beyond. Who Should Beware?

Map of Warsaw, Poland

On September 9, the Polish Data Protection Supervisory Authority (UODO) issued its response to the letter of the President of the Polish Bank Association, wherein it clearly stated that the provision of the banking law (i.e. article 112b of the act) does not entitle banks to make copies of personal ID cards of their clients at all times (e.g. for the purpose of setting up a bank account or checking the client’s credibility). In the regulator’s opinion, making copies is permitted only when the law explicitly authorizes one to do so.
Continue Reading Polish Data Protection Authority’s Position on Making Copies of Identity Documents by Banks

Map of Warsaw, Poland

Updated Black List of Processing Operations Requiring DPIA

On July 8, 2019 the updated list of operations requiring a data protection impact assessment (DPIA) was published in the official gazette of the Republic of Poland. The “black list” was updated by the Polish data protection authority, after the European Data Protection Board (EDPB) raised its objections to the original draft published by the Polish regulator on August 17, 2018. According to the EDPB’s opinion 17/2018, the original “black list” could have led to inconsistent application of the requirement for a DPIA and, therefore, should be subject to modifications.

As a result of the EDPB opinion, the Polish supervisory authority has recently made changes to the Polish “black list” of processing operations requiring a DPIA:Continue Reading Data Protection Update for Poland

While the GDUnited Nations newsPR compliance clock is ticking for companies, EU Member States have also been preparing for the implementation of the General Data Protection Regulation (“GDPR”) which will become enforceable on May 25, 2018.

The GDPR will be directly applicable in all EU Member States without the need for implementing national laws. However, apart from the need to establish the supervisory authority, the GDPR provides Member States with the possibility to introduce more specific rules in a number of. This includes the areas of employment, sensitive personal data such as health data and in relation to the role of data protection officers.

Below is a survey of the GDPR guidance by Data Protection Authorities (DPAs) in several key Member States.
Continue Reading Survey of the National GDPR Implementation Laws of Key Member States