Amendments to the Act on the Protection of Personal Data – who is the Personal Data Protection Official (ABI) in polish law?

July 17, 2015
Karol Błąd

I. New regulations

From the beginning of 2015 an amendments to the Act on the Protection of Personal Data came into force. Changes concern the extension of entitlements and duties of the Personal Data Protection Official (Administrator Bezpieczeństwa Informacji – ABI). The main aim of the amendments is to harmonize polish law with the Directive 95/46 EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

II. Registration of the ABI

According to art. 36a Act on the Protection of Personal Data appointing of the ABI is optional and there is no legal duty of appointing him. However there are significant benefits for the data controller (entrepreneur), who have appointed the ABI. Entrepreneur, who wants to establish ABI (in commercial partnerships or companies – management board would be most often a responsible entity) has to provide registration in register kept by the Inspector General for Personal Data Protection (Generalny Inspektor Ochrony Danych Osobowych – GIODO).

The register is open and available at the address: https://egiodo.giodo.gov.pl/index.dhtml

Appointing and registering the ABI results in limitation of entrepreneur’s obligations, which are then transferred to the ABI (the most important one is duty to report personal data filing system to the Inspector General for Personal Data Protection).

III. Obligations of the ABI

The ABI duties are named in art. 36a of Act on the Protection of Personal Data, they are, inter alia:

  • providing the observance of the principles of personal data protection (in particular through checking correctness’ processing of personal data in accordance with existing law – it is a kind of internal audit);
  • keeping a register of data filing systems processed by the data controller,

Tasks of the ABI are complex and certainly require a comprehensive knowledge about personal data, its protection and processing.

IV. Consequences of not establishing the ABI

In the case that the company as a data controller would not appoint ABI, the data controller will have to fulfill most of the mentioned above duties (Art. 36b of Act on the Protection of Personal Data). Moreover in such case entrepreneur will have to register the personal data filing system in GIODO. That happens because, in principle, only establishing the ABI dismisses company from this obligation, (according to the art. 43 paragraph 1a of Act on the Protection of Personal Data). In practice, in case of a self-employed sole trader conducting that duties will burden owner himself as natural person, while in case that a company is a commercial partnership then the management board is responsible for register the personal data filing system, and execute adequate level of data protection.

If responsible entities fail to perform their obligations, Act on the Protection of Personal Data brings sanctions. Failing to report the personal data filing system to GIODO, according to art. 53 is a criminal offence. Predicted sanctions are fine, restriction of personal liberty or the imprisonment up to one year. In accordance with the judicial decisions and opinions of legal doctrine, in case of commercial partnerships or companies, persons who are liable for such actions are the members of Management Board.

V. Requirements for the ABI

In relation to wide scope of the ABI responsibilities and complicated matter of the data protection, it is an important question who can perform the ABI function. Art. 36a paragraph 5 Act on the Protection of Personal Data says that person, who wanted to be ABI:

1) has to have full capacity for legal acts and enjoy full right as a citizen,

2) has to have an adequate knowledge in the matter of personal data protection,

3) has to not been convicted of a crime committed deliberately.

Points no. 1 and no. 3 could be easily demonstrated, but fulfilling the point no. 2 is not easy to estimate. The Act on the Protection of Personal Data does not describe any way to prove ABI’s knowledge on the matter of data protection. That is why evaluation of ABI’s proficiency is left to data controller, who, in general is not a specialist in that matter. In consequence management board, acting in its own interest (to avoid possible penalties and fines) should consider whether or not to hire a specialized in data protection matter experts, who are available on the market.