On the website of the Government Legislation Center, a new draft Act on the Protection of Personal Data (APD) was published on February 12, 2018. In relation to the original version, it was significantly detailed; the legislator decided to include some of the comments made during the public consultation. Even though there have been some amendments to the initial text, some widely debated issues remained unchanged.
The main purpose of ADP will be to complete the detailed provisions of the GDPR. The new act may therefore be generally described as a legal act regulating institutional and procedural aspects of personal data protection. The new draft identifies entities obliged to appoint a data protection officer (DPO) and notification procedure, conditions and procedure for certification and accreditation, appointment and competences of the new authority, the President of the Office for Personal Data Protection (POPDP), infringement proceedings for personal data protection, European administrative cooperation, control proceedings, civil and criminal liability and administrative fines.
The new draft contains a chapter on transitional and adaptation provisions that was not in the initial project. For the inspection initiated before May 25, 2018, the existing regulation will apply. Proceedings initiated and pending before the Inspector General for the Protection of Personal Data will be continued by the POPDP – all activities carried out in these proceedings will remain effective.
Continuing the subject of the POPDP, the legislator did not decide to base the proceedings before the President of the Office on the civil procedure and establish a two-stage procedure (two instances), which was one of the main postulates made during the consultations. Art. 6 of the new project directly points to the single-instance nature of the proceedings, and in matters not regulated in this regard in ADP, it refers to the provisions of the Code of Administrative Procedure. The POPDP shall be appointed by the Sejm (the lower house of the Polish Parliament) at the request of the Prime Minister for a four-year term and protected by immunity – analogically as indicated in the previous draft. The Ministry of Digitalization also decided not to withdraw the child’s age change, which will require obtaining parental consent for the processing of child’s data on the Internet. As in the original version of the draft, the legislator decided to reduce the above-mentioned age from 16 up to 13. It is worth noting that the issue of increasing the age proposed in the original project up to 16 (the border indicated on GDPR) was one of the issues widely discussed during the consultation.
Returning to the introduced amendments, a new chapter concerning the procedure for approving the code of conduct was added to the project. The authority empowered to approve this code will be the POPDP. The issues of accreditation and certification were also significantly extended and detailed, by regulating them in two separate chapters. The fee for activities related to the certification proceedings collected by the President of the Office was also increased: from three to four times the average monthly salary for work in the national economy.
Criminal liability was also changed, which was not included in the original draft. It is worth bearing in mind that while the current Act on the Protection of Personal Data provides for criminal liability (up to 3 years imprisonment for unauthorized processing of sensitive data), the GDPR does not contain criminal provisions. According to the new draft, not only the violation of sensitive data (up to 3 years imprisonment) will be punished, but also the violation of so-called ordinary personal data (up to 2 years imprisonment; however, the draft generally refers to the “processing of personal data”, while the current provision on “processing in the data filing system”) – the content of Article 101 of the project is therefore consistent with the current Article 49 of the ADP.
The new draft is still at the legislative stage and has already been submitted to the Committee on European Affairs. In accordance with Article 158, the act shall enter into force within 14 days of its announcement.
