Sunday, September 25, 2022

What goes around, comes around

Sylwia Ziemacka talked to Agnieszka Sznyk, President of the Board at INNOWO.Let's start from the beginning. What is a circular economy?It's a new economic...

Employment Outlook

24% of Polish companies want to hire new employees from October to December, but simultaneously, many companies are considering job cuts - these are...

For Poland, victory in Ukraine is paramount

Beata Tomczyk talks to Dr Jacek Bartosiak, attorney at law, founder and owner of Strategy & Future.What exactly did Vladimir Putin want to achieve...

From small acorns, big oaks grow

Sylwia Ziemacka talks to Marta Winiarska, president of the board at Bioinmed. The position of Polish biotechnology companies in the global value chain is...

Polish electromobility market attracts investors

Good investment prospects according to the report “Electromobility in Poland: investments, trends, employment 2021 report” created by the Polish Investment and Trade Agency, Bergman...

IMPLEMENTING GLOBAL GDPR POLICY IN POLAND – WHAT CAN GO WRONG?

Polish companies that are part of international capital groups often adopt documentation, procedures and records of personal data processing that are globally applicable throughout the group.

Such an approach often raises problems in light of the requirements of the GDPR and, instead of easing the company’s task of achieving compliance with the regulation, may expose the company to liability for breaches, including heavy fines. The upper limit of the penalties is the equivalent of €10 or 20 million or 2% or 4% of the annual worldwide turnover of the previous financial year, depending on, among other things, the type, severity and impact of the breach.

What can a supervisory authority question in relation to the adoption of globally applicable solutions and documentation at group level but without taking into account the context for a Polish controller? 

The main areas where the risk of non-compliance may arise are:

1. information obligations,

2. register of personal data processing activities,

3. an agreement on the entrustment of the processing of personal data,

4. retention periods,

5. data protection officer.

Re 1.

Each time a Polish company acts as a controller, it should apply the model information clauses adopted at group level to the individual context in which it processes personal data and the way in which the data is processed. 

Re 2.

Similarly to the information clauses, the register of processing operations is to be adjusted to the realities of the processing of personal data by a specific controller. This means that a Polish company processing data locally should, as a rule, complete the register on its own. 

Re 3.

If a Polish company uses its own processors (e.g. a local accounting and bookkeeping office, an IT or archiving company), it is required to enter into agreements on the entrustment of the processing of personal data with them in accordance with the requirements of the GDPR.

Re 4.

Retention periods for personal data may result from national legislation, e.g. for accounting or employee records. It is very likely that the implementation of the GDPR on a global level does not take into account Polish data retention provisions.

Re 5.

A corporate group may appoint a data protection officer (DPO) for several companies, but the person performing this important function should be familiar with the context and specificity of the processing of personal data by the Polish company and be familiar with the practice of the Polish supervisory authority. Otherwise, the appointment of a global DPO to perform the function of DPO also in a Polish company may be purely formal and not meet the requirements of the GDPR.

In order to minimise the above risks of non-compliance with the GDPR, a Polish company which is part of a multinational group should at least verify and supplement the personal data protection documentation introduced at the group level, taking into account the specific nature of its activity and the local context of data processing. Such action may protect it from imposition of a severe fine.

Michał Kalata
Michał Kalata
Advocate at the Warsaw law firm Argon Legal. He has many years of experience in providing services to business clients, with a particular focus on the commercial real estate industry. He is responsible for the areas of corporate law, compliance and GDPR.
MUST READ