The new law on data protection matters at the European level has been discussed at length over the last few years. It will finally come into force as a Regulation on May 25, 2018. These new provisions will unify personal data protection measures in the EU, and therefore certain changes to data protection standards will be introduced in Poland too. Since the lawfulness of data processing is a key aspect, a closer look at the impact of the Regulation on the commonly used basis for data processing in Poland – consent by the data subject to the processing of his or her personal data – is useful.
Under the Regulation, such consent will have to meet certain criteria. Consent must be specific, informed, unambiguous, and granted voluntarily prior to data collection. Similar conditions for data processing have already been imposed indirectly in Poland, based on case law and the relevant literature. Now, clear guidelines will be issued on the requirements for consent. Specifically, according to the Regulation, consent to data processing will not be deemed to have been granted voluntarily in the case of a clear imbalance between the data subject and a data controller. This is the case in particular when the controller is a public authority, or when the controller makes a service conditional upon consent even though consent is not necessary for the purpose of that particular service. According to the Regulation, consent must be an unambiguous affirmative act; hence a lack of response by the data subject or pre-ticked boxes will not be sufficient to allow lawful data processing.
As a rule, neither the current Polish provisions nor the Regulation require any specific form of approval for data processing (with the exception of sensitive data). Hence the data subject may signal agreement by ticking a special box on a website or by choosing certain settings for information society services. In any case, the data subject should actively confirm acceptance of the processing of his or her personal data. Importantly, the data controller must be able to prove that consent has indeed been granted.
According to the Regulation, special attention must be paid to the scope of consent. Polish companies must be aware that consent covering multiple data processing operations exposes them to the risk of illegal data processing. The Polish authorities are consequently questioning consent that is granted when different data processing purposes are combined in one statement (such as the performance of an agreement and online marketing). Once the Regulation enters into force, the different instances of consent will have to be separated so that each is specifically tailored to a particular data processing operation.
A substantial change for Poland will be the introduction of special protection for children by limiting their ability to consent to data processing. Until now this issue has not been subject to legal regulation. Polish law only requires parental authorization for the processing of sensitive data. For other kinds of personal data, there is no clear opinion in the literature as to when it is required. As a consequence of information society services, the Regulation introduces an obligation for data controllers to obtain parental consent to the processing of the data of children under 16. The minimum age may be lowered by Member States to 13 years. It is not yet clear what minimum age Poland will set for this particular consent.
The Regulation specifies an administrative fine of EUR 20 million for infringement of its provisions, including those on consent to data processing. For a company, this fine may be increased up to 4% of its total worldwide annual turnover in the preceding financial year. Polish law has not previously stipulated fines of this kind; only criminal liability has been specified. In practice it has rarely been applied, and therefore the new type of liability will be a good incentive for Polish companies to carefully and fully verify data processing measures
By Arkadiusz Ruminski, Associated Partner, Katarzyna Ziolkowska, Senior Associate, Noerr
This article was originally published in Issue 3.6 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.