The Polish data protection authority will inspect compliance with the regulations on data protection officers
A list of questions has been published on the website of the Personal Data Protection Office on compliance with the GDPR provisions on data protection officers. These issues will need to be addressed by data controllers and processers summoned by the data protection authority.
Based on its experience to date with proceedings regarding data protection officers, as well as questions asked by inspectors, the Polish Personal Data Protection Office has prepared a list of questions it will ask data controllers and processers when conducting compliance audits. The list is extensive, and the questions are detailed.
While the questions are related to data protection officers, in practice answering some of them will give the authority a broader view of how the entity handles compliance with the General Data Protection Regulation, including how it documents compliance for purposes of satisfying the accountability principle.
In our experience, data controllers and processers should pay particular attention to questions about:
- The method of assessing the data protection officer’s qualifications prior to appointment. Failure to adequately document the assessment and the basis for the assessment could potentially be treated as non-compliance with the GDPR.
- The resources (technical means, appropriate placement in the organisation’s structure, team supporting the DPO, and training) that should be provided by the data controller or processer to enable the data protection officer to properly perform the DPO’s tasks. Failure to provide the data protection officer with adequate resources could potentially be treated as non-compliance with the GDPR, especially if, e.g. the DPO has requested such resources.
- The ways of ensuring the DPO’s independence and preventing conflicts of interest, e.g. by implementing appropriate internal procedures for appointment and operation of the data protection officer. Absence of such procedures could potentially be treated as non-compliance with the GDPR.
- The method of engaging the DPO in processing operations, including at the implementation stage (e.g., as part of a data protection impact assessment), for example whether there are internal regulations for:
- Matters on which the DPO should be consulted (including new processes or changes to existing processes, or engaging data processers), and when the DPO should be consulted
- Who should consult with the DPO, and in what situations
- Who decides whether or not to follow the data protection officer’s recommendations
- Whether the DPO participates in management meetings, and on what terms
- How the data protection officer participates in managing data breaches or responding to questions from data subjects.
The absence of such procedures could potentially be treated as non-compliance with the GDPR.
Below we provide a full list of the questions published by the Personal Data Protection Office:
- Has a data protection officer been appointed at the data controller?
- Does the data controller have an obligation to appoint a data protection officer (if yes, on what legal basis), or has a data protection officer been appointed despite the absence of such an obligation?
- Has the data controller published the name and contact details for the data protection officer on its website or, if it does not maintain a website, in a manner generally available at its place of business?
- Is the above information displayed in a publicly accessible place? (Please indicate the place, or for a website, indicate the address and the link to this information.)
- Is the data protection officer an employee of the data controller, and if not, on what legal basis does the DPO perform his or her duties?
- Has the data protection officer been appointed exclusively by the data controller, or does the DPO also perform these duties for other data controllers?
- Based on what qualifications has the data controller appointed the data protection officer (e.g. education, experience, knowledge)?
- What are the necessary resources, as referred to in Art. 38(2) of Regulation 2016/679, which the data controller provides for the data protection officer?
- In what way does the data controller provide resources to maintain the data protection officer’s expertise?
- What position does the data protection officer hold, and to whom does he or she report, within the organisational structure of the data controller?
- Has the data controller appointed a deputy data protection officer, and if so, when?
- Does the data controller have a data protection officer team or other form of ongoing support for the data protection officer to perform his or her tasks?
- How does the data controller ensure that the data protection officer is appropriately and promptly involved in all data protection matters? (For example, have policies been developed on matters to be consulted with the data protection officer, who should seek a consultation with the data protection officer, and in what situations, and on what terms, does the data protection officer participate in management meetings?)
- How does the data controller provide the data protection officer with access to personal data and processing operations?
- Has the data controller adopted any internal regulations regarding the functioning of the data protection officer (in particular, to ensure respect for the guarantees of his or her independence and powers regarding access to personal data and processing operations, involvement in all matters concerning personal data protection, and avoidance of conflicts of interest), and if so, in which internal act have they been provided for?
- How does the data controller ensure that the data protection officer is not instructed on how to perform the DPO’s tasks?
- How does the data controller ensure that the data protection officer is not disciplined or dismissed for doing his or her job?
- How does the data controller handle cases where the guidance or recommendations of the data protection officer are not followed? E.g. does it document the reasons for not following such guidance?
- How can data subjects contact the data protection officer in accordance with Art. 38(4) of Regulation 2016/679?
- Does the data protection officer also perform other duties or function in addition to data protection duties? If so:
- What DPO tasks does the DPO perform, and for how much time, and what other tasks does he or she perform?
- How has the data controller determined that there is no conflict of interest for each of these tasks as referred to in Art. 38(6) of Regulation 2016/679?
- Does the data protection officer report to anyone other than the data controller’s top management in performing other tasks?
- Has the data controller developed a policy for managing conflicts of interest or put in place another mechanism to ensure there is no conflict of interest?
- Does the data protection officer perform his or her duties only on the data controller’s premises, and if not, at what location, and how is ongoing access to the DPO by the data controller’s management and employees ensured?
- Has the data protection officer developed (or does he or she systematically develop) a plan for his or her work, e.g. in terms of training and audits?
- Has such a plan been presented to the data controller to allow the data controller to assess whether the data protection officer has sufficient resources and authority in the areas the data protection officer covers?
- How often, and how, does the data protection officer communicate the results of audits to the data controller?
- Has the data controller requested the data protection officer to make recommendations on data protection impact assessments, and if so, in what situations?
- Does the data controller review the data protection officer’s work, and if so, how?
With the above in mind, it is worth preparing for the authority’s inspection now and verifying whether the activity of particular interest to the Personal Data Protection Office is compliant with the GDPR, and whether the company maintains documents confirming this fact, including appropriate procedures. If an entity has not designated a data protection officer, it should hold documentation supporting the determination that it has no obligation to designate a data protection officer.
Karolina Romanowska, adwokat, Łukasz Rutkowski, attorney-at-law, Data Protection practice, Wardyński & Partners