Pursuant to the Personal Data Protection Act of 29
August 1997 (Journal of Laws 2014.1182, as
amended; hereinafter: the “Act”), any entity that
processes personal data (of employees, customers,
etc.)
is a personal data controller, and is
responsible for processing such data in compliance
with the Act and properly safeguarding and
protecting it. The Act imposes a number of
requirements with regard to monitoring internal
compliance with the regulations on the protection
of personal data.
The management board (top management of a
business entity), which acts as a personal data controller, is responsible for ensuring proper
processing of data within the company. It is
however possible that the duties related to the
supervision of compliance with the data protection
rules are delegated to a designated person who will
perform the functions of an information security
administrator
(“ISA”). It is not obligatory to
appoint an ISA, but this is an option worth looking
into.
If an ISA is appointed, he or she will be responsible
for the entire process of data processing within the
organisation. The ISA not only monitors compliance
with the Act, but should be given the authority that
allows them to bring the existing situation in line
with the legal requirements.
The main objective of the ISA is to ensure
compliance with the regulations on the protection
of personal data by verifying, in particular, that the
processing of personal data conforms to the Act and
relevant
regulations,
by
supervising
the
development and updating of the documentation
describing the method of data processing and the
technical and organisational measures to protect
the personal data processing in a manner adequate
to existing risks and categories of data subject to
protection, and the compliance with the rules
defined in that documentation, as well as by
ensuring that persons authorised to process
personal data are familiar with applicable laws.
A further objective of an ISA is to keep the register
of data sets being processed by the data
administrator. This is important because the data
administrator who has appointed the ISA and
registered that person with the General Inspector
for the Protection of Personal Data (“GIODO”) is
released from the duty, otherwise mandatory, to
register personal data sets, unless they do not
include sensitive data.
The Act requires the person acting as the ISA to
hold adequate expertise in the field of personal
data protection. This precondition is assessed by
the data controller. The regulations do not include
any requirement for the ISA to hold any
certificates, training completion certifications, etc.
The criterion of adequate expertise should be
defined in line with the data processing operations
that are carried out at the data administrator’s
facility and the related requirements for protection
of data. A further requirement is that the ISA has
full legal capacity, enjoys full civil rights and has not been convicted of an intentional criminal
offence. The ISA should report directly to the
business entity’s chief executive officer and must
be provided with the means and organisational
autonomy as the administrator as are necessary for
them to carry out their responsibilities in an
independent manner.
The business operator is required to notify the
appointment of the ISA to GIODO for registration
within 30 days of the appointment. The notified
ISAs are listed in a national register open to the
public. The data controller who has notified an ISA
for registration is under obligation to report to
GIODO any change to the information provided in
the notification of the ISA’s appointment within 14
days of any change and to report the dismissal of
the ISA within 30 days.
As appears from the above, the appointment of an
Information Security Administrator would allow the
management of a business entity to be relieved of
some its workload; it is important to note,
however, that it does not release the management
completely from its responsibility for having the
process of personal data processing organised
properly and lawfully.
MILLER, CANFIELD,
W. BABICKI, A. CHEŁCHOWSKI I WSPÓLNICY SP.K.
ul. Batorego 28-32
81-366 Gdynia
Tel. +48 58 782-0050
Fax +48 58 782-0060
gdynia@pl.millercanfield.com
ul. Nowogrodzka 11
00-513 Warszawa
Tel. +48 22 447-4300
Fax +48 22 447-4301
warszawa@pl.millercanfield.com
ul. Skarbowców 23a
53-125 Wrocław
Tel. +48 71 780-3100
Fax +48 71 780-3101
wroclaw@pl.millercanfield.com
Disclaimer: This publication has been prepared for clients and professional associates of Miller Canfield. It is intended to provide only a summary of
certain recent legal developments of selected areas of law. For this reason the information contained in this publication should not form the basis of
any decision as to a particular course of action; nor should it be relied on as legal advice or regarded as a substitute for detailed advice in individual
cases. The services of a competent professional adviser should be obtained in each instance so that the applicability of the relevant legislation or other
legal development to the particular facts can be verified.