29
Fri, Mar
51 New Articles

General Data Protection Regulation – New Burden or New Hope for Business in Poland?

General Data Protection Regulation – New Burden or New Hope for Business in Poland?

Poland
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Regulation EU 2016/679 of the European Parliament and of the Council of April 27, 2016. on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “General Regulation”), will directly apply in the EU Member States starting May 25, 2018.

Compared to its predecessor (Directive 95/46/EC), the General Regulation contains an expanded catalogue of rights granted to individuals, including the right to be forgotten, the right to data portability, and the right to restriction of processing. The General Regulation imposes a number of new obligations on data controllers and will influence the functioning of all entrepreneurs dealing with consumers. 

A particularly notable change pertains to the process of acquiring consent for data processing. The consent an entrepreneur obtains from an individual, regardless of whether it is secured from the data subject on paper or electronically, will have to be separable from other statements and contain detailed information (including information about all purposes of processing and about the right to withdraw the consent at any time). At the same time, the consent form must be presented in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Consent-by-silence or acceptance of pre-ticked boxes will not be sufficient. 

In addition, more caution and more paperwork will be needed to demonstrate necessary compliance with the General Regulation. Official codes of conduct will be introduced and will have to be followed.

Many controversies will surely arise as to the right to be forgotten, because every controller who has made personal data public and receives an erasure demand will need to inform all other controllers processing the data to also erase any links to it, or copies or replications of it. This could be a real challenge.

At first glance the General Regulation may seem overly protective and too restrictive towards business. However, a closer look at its provisions and a comparison to the Polish status quo is helpful in understanding its rationale.

First, European Community lawmakers recognized that data protection rights do not always deserve priority over other protected rights, such as the freedom to conduct business and freedom of expression. The General Regulation should help assure entrepreneurs, as they consider how they do business, that both data protection rights and other protected rights will be recognized and appropriately balanced. 

Second, Poland really needed up-to-date regulations. The current data protection law in the country dates back over 20 years and is at odds with the technological development that has taken place since then. The Polish social and business environment has also changed rapidly following the introduction of a free market. Since the new law, unlike its predecessor, comes in the form of a Regulation, it will be directly applicable and will result in an unprecedented occasion to review, revise, and delete all the outdated acts. 

Third, Polish entrepreneurs are already accustomed to a number of similar obligations pertaining to personal data processing. According to current laws, every personal data controller has to maintain formalized documentation, to grant data subjects access to information, and to correct or remove data upon a valid request. On a positive note, the strict formalities that have been a difficulty for small- and medium-sized businesses will change. The General Regulation is respectful of the specific situation of micro, small, and medium-sized enterprises and introduced a derogation for those with fewer than 250 employees with regard to record-keeping. Under the existing regime, it is often a struggle for them to maintain the obligatory technical and organizational requirements.

From a Polish perspective, a new law regulating data protection has been needed for a long time and, despite its restrictions and the uncertainties that accompany any new set of rules, the General Regulation is a reasonable response to this need. The two-year transition period is adequate for the scale of adaptations to be made by both lawmakers and entrepreneurs. The process of adaptation should start as soon as possible.

By Ronald Given, Co-Managing Partner, and Magdalena Nowak, Associate, Wolf Theiss Poland

This Article was originally published in Issue 4.2 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.