On September 12 the Ministry of Digitization published a draft law on the protection of personal data. The law is to clarify the solutions contained in the EU Regulation 2016/679, which will enter into force on 25 May 2018. What does it envisage for NGOs?
A new office will be set up
In place of the Inspector General for Personal Data Protection will be the Office of Data Protection, headed by the President. The new data protection authority will have a much broader scope of authority than the General Inspector for the Protection of Personal Data (GIODO), including control, and will be able to impose far more severe penalties. The project's justification indicates that the number of new office staff will increase.
Changes in the proceedings before the Office of Data Protection
The average duration of proceedings before GIODO is 437 days. Therefore, the legislator decided to introduce solutions to accelerate the procedure. Firstly, it will be conducted according to the amended Code of Administrative Procedure. Secondly, the proceedings will be one-step, meaning that the decision of the President of the the Office of Data Protection will be appealed to the court. Third, complaints are not expected to be considered as separate remedies. This means that all the provisions, such as the rejection of evidence, will be challenged jointly in the complaint to the court.
Opportunity to participate of social organizations
The draft law envisages the active role of NGOs in activities before the President of the Office of Data Protection. A social organization may request a lawsuit or allow it to participate in proceedings if this is justified by the statutory purposes of the organization and when the interests of the person whose rights have been infringed are in favor. This will allow the victims to be assimilated to their rights.
Disclaimer of confidentiality
Organizations that conduct business activities will be able to take advantage of the possibility of restraining the confidentiality of documents submitted to the President of the Office of Data Protection. This will be about information protected by business secrets. This is to prevent leakage of information and protect important business resources.
Settlements and penalties
The Regulation provides for a maximum penalty of infringement of personal data protection provisions of EUR 20 000 000 or 4% of its total annual turnover for the previous year. The regulation softens some of the solutions. First of all, where the seriousness of the breach of the provisions on the protection of personal data is negligible and the infringement has ceased, the President of the Office of Data Protection may, by means of a decision, give a warning. Secondly, although decisions issued by the President of the Office of Data Protection are immediately enforceable, the lodging of a complaint by an administrative court results in suspension of the execution of the decision as regards the administrative penalty. Thirdly, the President of the Office may, at the request of the fined entity, postpone the payment of a fine or lay it off in installments due to the applicant's important interest.
Rules of control
The law also regulates the control of the President of the Office of Data Protection. Control proceedings may be conducted in accordance with the control plan approved by the President of the Office or off-plan on the basis of information obtained or the analyzes carried out by the President of the Office. In the first case it will concern selected categories of entities such as kindergartens and language schools. In the latter case, these may be checks, for example, based on media reports or reports.
Officials will get broad powers. For example, access to land and buildings or other premises, the right to inspect any document and any information directly related to the subject matter of the inspection and the inspection of the equipment, media and computer or data processing systems. In addition, they will be able to request written or oral explanations and to call and interview witnesses. What matters is that at the time of the audit, the provisions on the freedom of economic activity in terms of its duration and the principle of a single audit at any one time do not apply.
Civil and criminal liability
The draft law, apart from the penalties imposed by the President of the Office for Data Protection, provides for civil and criminal sanctions. In the first case, the general principles of the Civil Code will apply. It means that the limit of liability is the damage done. However, keep in mind that personal information is protected as personal property. Therefore, the court may, in certain cases, grant redress. In addition, any person whose rights have been infringed may demand that the action be abandoned, and may demand that the person committing the infringement complete the acts necessary to remove the effect. In other words, not only the Office, but also the court may prohibit the processing of personal data.
The draft law provides for penal provisions. The legislator, however, departs from this method leaving only two criminal acts. First - obstructing or thwarting control, the second - processing of data without legal basis, which will be punishable by up to one year of imprisonment.