On September 12 the Ministry of Digitization published a draft law on the protection of personal data. The law is to clarify the solutions contained in the EU Regulation 2016/679, which will enter into force on 25 May 2018. What does it envisage for NGOs?

A new office will be set up

In place of the Inspector General for Personal Data Protection will be the Office of Data Protection, headed by the President. The new data protection authority will have a much broader scope of authority than the General Inspector for the Protection of Personal Data (GIODO), including control, and will be able to impose far more severe penalties. The project's justification indicates that the number of new office staff will increase.

Changes in the proceedings before the Office of Data Protection

The average duration of proceedings before GIODO is 437 days. Therefore, the legislator decided to introduce solutions to accelerate the procedure. Firstly, it will be conducted according to the amended Code of Administrative Procedure. Secondly, the proceedings will be one-step, meaning that the decision of the President of the the Office of Data Protection will be appealed to the court. Third, complaints are not expected to be considered as separate remedies. This means that all the provisions, such as the rejection of evidence, will be challenged jointly in the complaint to the court.

Opportunity to participate of social organizations

The draft law envisages the active role of NGOs in activities before the President of the Office of Data Protection. A social organization may request a lawsuit or allow it to participate in proceedings if this is justified by the statutory purposes of the organization and when the interests of the person whose rights have been infringed are in favor. This will allow the victims to be assimilated to their rights.

Disclaimer of confidentiality

Organizations that conduct business activities will be able to take advantage of the possibility of restraining the confidentiality of documents submitted to the President of the Office of Data Protection. This will be about information protected by business secrets. This is to prevent leakage of information and protect important business resources.

Settlements and penalties

The Regulation provides for a maximum penalty of infringement of personal data protection provisions of EUR 20 000 000 or 4% of its total annual turnover for the previous year. The regulation softens some of the solutions. First of all, where the seriousness of the breach of the provisions on the protection of personal data is negligible and the infringement has ceased, the President of the Office of Data Protection may, by means of a decision, give a warning. Secondly, although decisions issued by the President of the Office of Data Protection are immediately enforceable, the lodging of a complaint by an administrative court results in suspension of the execution of the decision as regards the administrative penalty. Thirdly, the President of the Office may, at the request of the fined entity, postpone the payment of a fine or lay it off in installments due to the applicant's important interest.

Rules of control

The law also regulates the control of the President of the Office of Data Protection. Control proceedings may be conducted in accordance with the control plan approved by the President of the Office or off-plan on the basis of information obtained or the analyzes carried out by the President of the Office. In the first case it will concern selected categories of entities such as kindergartens and language schools. In the latter case, these may be checks, for example, based on media reports or reports.

Officials will get broad powers. For example, access to land and buildings or other premises, the right to inspect any document and any information directly related to the subject matter of the inspection and the inspection of the equipment, media and computer or data processing systems. In addition, they will be able to request written or oral explanations and to call and interview witnesses. What matters is that at the time of the audit, the provisions on the freedom of economic activity in terms of its duration and the principle of a single audit at any one time do not apply.

Civil and criminal liability

The draft law, apart from the penalties imposed by the President of the Office for Data Protection, provides for civil and criminal sanctions. In the first case, the general principles of the Civil Code will apply. It means that the limit of liability is the damage done. However, keep in mind that personal information is protected as personal property. Therefore, the court may, in certain cases, grant redress. In addition, any person whose rights have been infringed may demand that the action be abandoned, and may demand that the person committing the infringement complete the acts necessary to remove the effect. In other words, not only the Office, but also the court may prohibit the processing of personal data.

The draft law provides for penal provisions. The legislator, however, departs from this method leaving only two criminal acts. First - obstructing or thwarting control, the second - processing of data without legal basis, which will be punishable by up to one year of imprisonment.

Lemlock ebook. Expert Guidebook: Three vievs on cybersecurity
Are you interested in a comprehensive solution
for your data security?
Consent to  data processing for contact purposes
I confirm that I have read the  information clause of Sagiton Sp. z o.o.

I hereby give consent to the processing of my personal data by the Personal Data Controller (hereinafter: "PDC") – Sagiton Sp. z o.o. ul. Fabryczna 19, 53-609 Wrocław, within the scope of: full name, e-mail address or telephone number, for the purpose of sale of products and services of Sagiton Sp. z o.o. and for the purpose of sending me feedback and making contact with me by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the removal of my personal data from the PDC Sagiton Sp. z o.o. database, by sending an e-mail to hello@sagiton.pl, or a letter to Sagiton Sp. z o.o., ul. Fabryczna 19, 53-609 Wrocław, with a statement containing the relevant request, which shall result in the deletion of my personal data from the PDC Sagiton Sp. z o.o. database; I have the right to access my data; providing my data is voluntary, however refusal to provide it is tantamount to not receiving information regarding sale of products and services of Sagiton Sp. z o.o., as well as not receiving feedback and making contact with me by Sagiton Sp. z o.o.

In accordance with Art. 13 section 1 of the General Data Protection Regulation of 27 April 2016, (GDPR), we would like to inform you that the controller of your personal data is Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław, e-mail: hello@sagiton.pl.

Your personal data shall be processed within the scope of: full name, e-mail address and/or telephone number in order to answer your question/request for contact and send feedback – pursuant to Art. 6 section 1 (a) of the GDPR, i.e. consent to the processing of personal data.

The data controller would like to inform you that your personal data shall not be disclosed to third parties.

Your data shall not be transferred outside of the European Economic Area or to international organizations.

Your personal data shall be processed until you withdraw your consent to the processing of data, as well as if the purpose for processing this data shall no longer be applicable.

You have the right to access your personal data, rectify it, delete it, restrict its processing, the right to transfer it, as well as the right to object.

In the case of giving your consent, you have the right to withdraw it at any time. Exercising the right to withdraw the consent does not affect the processing carried out before the consent was withdrawn.

You have the right to lodge a complaint with the supervisory body, i.e. the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw.

Providing your personal data is a prerequisite for making contact with you by Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław. In the case of not providing your personal data, Sagiton Sp. z o.o., shall not be able to contact you.

The Data Controller, Sagiton Sp. z o.o., would like to inform you that they shall not use your personal data for automated decision-making, which is based solely on automated processing, including profiling, and has legal effects for you or affects you significantly in a similar way.

Let's stay in contact