search

Friday, March 1, 2024

TRAVEL TO LEARN

Aashruti Tripathy is a 27-year-old student from Nepal, who came to Poland for an Erasmus Mundus master’s scholarship at the University of Łódź. She...

Italian Masters

The Wawel Royal Castle in Kraków announced that the exceptional work of the Renaissance master Giovanni Bellini – “Madonna and Child”, will join the...

The Iron Claw

Sean Durkin, an independent film director and producer known from the critically acclaimed “Martha Marcy May Marlene” and “The Nest”, comes back with a...

Polish songs by Aga Zaryan

Polish jazz singer Aga Zaryan will give an unusual performance at Szczecin Philharmonic, showing a completely new side of her artistic expression. The repertoire...

Memento Mori

Depeche Mode extended its Memento Mori international tour and after concerts in Europe, Mexico, Canada and the USA, announced 29 new performances in Europe...

IMPLEMENTING GLOBAL GDPR POLICY IN POLAND – WHAT CAN GO WRONG?

Polish companies that are part of international capital groups often adopt documentation, procedures and records of personal data processing that are globally applicable throughout the group.

Such an approach often raises problems in light of the requirements of the GDPR and, instead of easing the company’s task of achieving compliance with the regulation, may expose the company to liability for breaches, including heavy fines. The upper limit of the penalties is the equivalent of €10 or 20 million or 2% or 4% of the annual worldwide turnover of the previous financial year, depending on, among other things, the type, severity and impact of the breach.

What can a supervisory authority question in relation to the adoption of globally applicable solutions and documentation at group level but without taking into account the context for a Polish controller? 

The main areas where the risk of non-compliance may arise are:

1. information obligations,

2. register of personal data processing activities,

3. an agreement on the entrustment of the processing of personal data,

4. retention periods,

5. data protection officer.

Re 1.

Each time a Polish company acts as a controller, it should apply the model information clauses adopted at group level to the individual context in which it processes personal data and the way in which the data is processed. 

Re 2.

Similarly to the information clauses, the register of processing operations is to be adjusted to the realities of the processing of personal data by a specific controller. This means that a Polish company processing data locally should, as a rule, complete the register on its own. 

Re 3.

If a Polish company uses its own processors (e.g. a local accounting and bookkeeping office, an IT or archiving company), it is required to enter into agreements on the entrustment of the processing of personal data with them in accordance with the requirements of the GDPR.

Re 4.

Retention periods for personal data may result from national legislation, e.g. for accounting or employee records. It is very likely that the implementation of the GDPR on a global level does not take into account Polish data retention provisions.

Re 5.

A corporate group may appoint a data protection officer (DPO) for several companies, but the person performing this important function should be familiar with the context and specificity of the processing of personal data by the Polish company and be familiar with the practice of the Polish supervisory authority. Otherwise, the appointment of a global DPO to perform the function of DPO also in a Polish company may be purely formal and not meet the requirements of the GDPR.

In order to minimise the above risks of non-compliance with the GDPR, a Polish company which is part of a multinational group should at least verify and supplement the personal data protection documentation introduced at the group level, taking into account the specific nature of its activity and the local context of data processing. Such action may protect it from imposition of a severe fine.

Michał Kalata
Michał Kalata
Advocate at the Warsaw law firm Argon Legal. He has many years of experience in providing services to business clients, with a particular focus on the commercial real estate industry. He is responsible for the areas of corporate law, compliance and GDPR.
MUST READ