How many real changes in the Personal Data Protection Act?
A banner was posted at the beginning of 2012 on the website of Poland’s Inspector General for Personal Data Protection—”Notice: Change of law!”
The Business Activity Law of 19 November 1999 (Journal of Laws Dz. U. 1999 No. 101 item 1178, as amended) went out of force on 1 January 2012. Repeal of the Business Activity Law has an impact on data processers handling personal data of individuals operating a business.
Personal date of individuals conducting business
Before, under Art. 7a of the now-repealed Business Activity Law, data included in the local business register operated by Polish municipalities, in which businesses operated by individuals (i.e. sole traders and ordinary partnerships) were registered, were excluded from the data protection regime of the Personal Data Protection Act of 29 August 1997.
The local business register has now been replaced by the Central Registration and Information on Business (CEIDG).
Starting from 1 January 2012, data concerning individuals operating businesses are now treated as personal data, and are covered by the Personal Data Protection Act if the data meet the definition of personal data under the act. As a consequence, entities processing personal data of individuals operating businesses (whose data are disclosed in connection with their business operations) will need to assure that such data are processed in compliance with the data protection scheme set forth in the Personal Data Protection Act.
Transfer of personal data outside the European Economic Area
Meanwhile, changes introduced by the Act on Exchange of Information with Law Enforcement Authorities of European Union Member States of 16 September 2011 (Journal of Laws Dz.U. No. 230 item 1371) also went into effect on 1 January 2012. The most important change affecting the rules for transfer of personal data to a destination in a “third country” (i.e. a country that does not belong to the European Economic Area) was the rewording of Art. 47(1)–(2) of the Personal Data Protection Act, including adding a new subparagraph, Art. 47(1a).
Under the previous wording of Art. 47(1), it was necessary to assure that the third country provided for personal data protection as in force in Poland. Some legal commentators took the view that there was no justification for concluding under Art. 47(1) that transfer of data to a third country is impermissible in all cases where the third country does not provide at least the same data protection guarantees as provided by the Polish act. This approach was regarded by commentators as too restrictive.
The new wording of Art. 47(1) provides that in order to transfer data to a third country, it is sufficient if the third country provides an “adequate level of protection,” which is then defined in more detail in the new Art. 47(1a).
Adequate level of personal data protection
The concept of an “adequate level of protection” as codified in Personal Data Protection Act Art. 47(1) is drawn from Art. 25 of the Data Protection Directive (95/46/EC), and provides that the adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding the data transfer operations, particularly the nature of the data, the purpose and duration of the proposed processing operations, the country of origin and country of final destination, the rules of law in force in the third country in question, and the professional rules and security measures which are complied with in that country.
Notwithstanding the excitement generated by the website of the Inspector General for Personal Data Protection, it does not appear that the recent amendments to the Personal Data Protection Act will have a huge impact on the practice of the Polish data protection authority in reviewing applications for approval of the transfer of personal data to third countries, particularly given that Art. 48 of the act, which provides for such approvals, still refers to “guarantees of protection of personal data at least as in force in Poland”. This conclusion was confirmed by an official at the Inspector General’s office responsible for this issue, who said that in his view, a finding of an “adequate level of protection” will continue to require de facto a determination that data protection in the third country meets the requirements of the Polish act.
This means that the only change that went into effect on 1 January 2012 that will have a major practical impact is extension of the statutory data protection scheme to cover information about individuals operating their own businesses.
Lucyna Olewniczak, Personal Data Protection practice, Wardyński & Partners