As of January 1, 2015, personal data controllers are no longer obliged to appoint a data protection officer (DPO), known in the Polish Data Protection Act as administrator bezpieczeństwa informacji (abbreviated and commonly referred to as an ‘ABI’). Until the end of last year, every organization (which was a data controller) had to have a DPO. Their tasks were very vaguely defined as the supervision of the proper safeguarding of personal data. Under the current legal framework, organizations can freely choose whether to name a DPO or not. At the same time, the duties of a DPO, and the criteria that a DPO should fulfill, are now laid out in much more detail.
The basic responsibility of a data protection officer is to ensure the compliance of data processing operations with the law. For that purpose, a DPO should audit the compliance of data processing within their organization on a yearly basis and draw up reports in this respect. Moreover, a DPO must supervise the preparation of data processing documentation, such as the security policy. They should also ensure that persons authorized to process personal data within an organization know the legal framework concerning personal data processing.
As far as the criteria that a DPO has to fulfill are concerned, such a person should have a good understanding of personal data protection regulations, have full legal capacity and enjoy full civil rights, as well as have a clear criminal record concerning intentional crimes.
One of the advantages of appointing a DPO is that in such a situation data controllers do not have to register data files containing ordinary (non-sensitive) personal data with the GIODO (the Polish data protection authority). This is why a DPO is also tasked with keeping a register of data files processed within the organization. It should be remembered, however, that merely appointing a DPO is not enough in order to be exempt from the data file registration duty – the GIODO must be notified of the appointment of a DPO and then the said DPO is entered into a public register, which is maintained by the GIODO.
Interestingly, the GIODO can request a DPO to perform an audit concerning data processing compliance in their organization and draft a report in this regard for the GIODO. If any infringements are identified, then the DPO should also indicate how they were or would be remedied. Such an internal audit would not, however, preclude the GIODO from carrying out an inspection.
Currently, there are almost 15,000 DPOs registered with the GIODO, but it is said that the number is still rising. It seems that the prospect of not having to register data filing systems and of having someone to supervise data processing compliance, appeals to many organizations.
Smaller entities can choose to register the data filing system which seems to be a less costly solution.