Thursday, December 26, 2024

search

Artificial Intelligence Factory

The Academic Computer Centre ‘Cyfronet’ at AGH University in Kraków is implementing the AI Factory project to become the first Artificial Intelligence Factory in...

Klarna’s New Technology Hub

One of the global deferred payment leaders, Klarna, wants to build a new technology hub in Warsaw. It has been present in Poland since...

Strengthening Europe’s Economy

Europe urgently needs to strengthen its economy and address its growing competitiveness gap to remain an anchor of peace, prosperity, and stability in a...

Lisa Gerrard and Jules Maxwell

Acclaimed Australian artist – Lisa Gerrard, known from the alternative, dark independent group Dead Can Dance and the Golden Globe-awarded score for “Gladiator”, together...

Polish Carols by Mazowsze

It’s hard to imagine Polish traditional Christmas celebrations without listening to Polish carols performed by the Mazowsze Ensemble choir and orchestra. Those who this...

IMPLEMENTING GLOBAL GDPR POLICY IN POLAND – WHAT CAN GO WRONG?

Polish companies that are part of international capital groups often adopt documentation, procedures and records of personal data processing that are globally applicable throughout the group.

Such an approach often raises problems in light of the requirements of the GDPR and, instead of easing the company’s task of achieving compliance with the regulation, may expose the company to liability for breaches, including heavy fines. The upper limit of the penalties is the equivalent of €10 or 20 million or 2% or 4% of the annual worldwide turnover of the previous financial year, depending on, among other things, the type, severity and impact of the breach.

What can a supervisory authority question in relation to the adoption of globally applicable solutions and documentation at group level but without taking into account the context for a Polish controller? 

The main areas where the risk of non-compliance may arise are:

1. information obligations,

2. register of personal data processing activities,

3. an agreement on the entrustment of the processing of personal data,

4. retention periods,

5. data protection officer.

Re 1.

Each time a Polish company acts as a controller, it should apply the model information clauses adopted at group level to the individual context in which it processes personal data and the way in which the data is processed. 

Re 2.

Similarly to the information clauses, the register of processing operations is to be adjusted to the realities of the processing of personal data by a specific controller. This means that a Polish company processing data locally should, as a rule, complete the register on its own. 

Re 3.

If a Polish company uses its own processors (e.g. a local accounting and bookkeeping office, an IT or archiving company), it is required to enter into agreements on the entrustment of the processing of personal data with them in accordance with the requirements of the GDPR.

Re 4.

Retention periods for personal data may result from national legislation, e.g. for accounting or employee records. It is very likely that the implementation of the GDPR on a global level does not take into account Polish data retention provisions.

Re 5.

A corporate group may appoint a data protection officer (DPO) for several companies, but the person performing this important function should be familiar with the context and specificity of the processing of personal data by the Polish company and be familiar with the practice of the Polish supervisory authority. Otherwise, the appointment of a global DPO to perform the function of DPO also in a Polish company may be purely formal and not meet the requirements of the GDPR.

In order to minimise the above risks of non-compliance with the GDPR, a Polish company which is part of a multinational group should at least verify and supplement the personal data protection documentation introduced at the group level, taking into account the specific nature of its activity and the local context of data processing. Such action may protect it from imposition of a severe fine.

Michał Kalata
Michał Kalata
Advocate at the Warsaw law firm Argon Legal. He has many years of experience in providing services to business clients, with a particular focus on the commercial real estate industry. He is responsible for the areas of corporate law, compliance and GDPR.
MUST READ