Poland Data Protection Authority
- The legal ground for the protection of personal data in Poland
- The legal position of the Inspector General for Personal Data Protection
- The legal rights of GIODO
- Limitations of GIODO Authority
1. The legal grounds for the protection of personal data in Poland
The legislation on the protection of personal data in Poland has been in force since 30 April 1998. On August 29th 1997 Poland adopted the act on the protection of personal data (Journal of Laws no. 133, item 883 with later amendments). However, the new Polish Constitution has already earlier included provisions defining the citizens' right to their personal data protection. Articles 47 and 51 of the Constitution constitute every person's right to access any official administrative documents.
The Constitution say that every person has the right to demand the correction of untrue information, as well as to obtain their source and the exact substance of such information. Also the privacy of data subjects must be protected.
The act on the protection of personal data contains the detailed and precise provisions on these issues. For full text of Polish act on the protection of personal data see www.giodo.gov.pl/English
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No 108) - On 12 July 2005 Poland ratified the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows.
2. The legal position of the Inspector General for Personal Data Protection
The supervisory authority for the protection of personal data in Poland is the Inspector General for Personal Data Protection (Polish abbreviation: GIODO). This one-person authority is appointed by the Sejm of the Republic of Poland (Lower Chamber of the Polish parliament) with the consent of the Senate (Upper Chamber). The term of office of GIODO is 4 years. The same person may hold the office for not more than two terms.
The Inspector General enjoys legally guaranteed independence - as a non-political authority (the Inspector General may not be a member of any political party or any trade union) she/he may not be removed from the post neither may she/he hold another position except for a professor of a higher education institution. GIODO also enjoys the formal immunity.
3. The legal rights of GIODO
The Inspector General is empowered in particular to:
In order to ensure effective control over the processing of personal data by the controller, the employees of the GIODO Bureau are entitled to:
- supervise the compliance of data processing with the legal provisions on the protection of personal data
- consider complaints and issue administrative decisions ordering the adoption of the proper legal state
- keep the register of data filing systems and provides information on the registered data files
- issue opinions on bills with respect to the protection of personal data
- initiate activities to improve the protection of personal data
- participate in the work of international organisations and institutions involved in personal data protection issues
All of these activities are carried out within the framework of the so-called inspection (audit) in the seat of the controllers. They are obliged to co-operate with the GIODO's inspectors while the inspection is performed, and they are entitled to object to the inspectors' opinions. The material collected during the inspection constitutes the ground for administrative decisions, which are GIODO's most important legal remedy. By means of administrative decisions it may be ordered to remedy the negligence in the processing of personal data. In the past practice it was most often ordered to limit the scope of the processed personal data, to use technical and IT means to safeguard the data, to inform the data subjects about the processing conditions, to erase data from the filing system, to suspend certain use of data, to suspend the cross-border flow of data, to obtain the data subject's consent to the processing etc.
The decisions issued by GIODO may be appealed against with the Voivodship Administrative Court first and then - in the case when the party is not satisfied with the judgement - to the Supreme Administrative. The Supreme Court is not involved in such proceedings at all.
- enter premises, where the registered data filing systems are being kept and perform necessary examinations
- demand written or oral explanations, and question any persons responsible for the processing of personal data
- demand the presentation of documents and any data directly related to the subject of the inspection
- demand access to any devices, data carriers and computer systems used for data processing
- commission expertise and opinions to be prepared.
Apart from the administrative decisions issuing opinions on the applied legal and technical solutions is an important part of GIODO's activity, as well as issuing opinions and giving answers to the controllers' inquiries. Should the Inspector General find that the activity of a controller bears attributes of an offence, she/he informs the public prosecutor of the breach of the act on personal data protection.
In order to promote the idea of personal data protection GIODO frequently organises training courses on personal data protection, drafts her/his own website (www.giodo.gov.pl) and publishes her/his opinions in trade press.
4. Limitations of GIODO Authority
Though each data controller in Poland is obliged to obey the provisions of the act on personal data protection, the GIODO's right to control certain subjects is considerably restrained. GIODO may not control the data processing performed by churches and religious unions with an established legal status, she/he may not inspect data controllers holding data which constitute a state secret due to the reasons of national security or defence of the state. GIODO, however, may demand explanation from the mentioned controllers, but she/he has no power to issue an administrative decision, if a breach of the law is stated. Furthermore, GIODO may not inspect the controllers of data collected by intelligence and counter-intelligence services. The latter is subject to control by the responsible parliamentary committee (also in the field of data protection).
Bureau of the Inspector General for Personal Data Protection
ul. Stawki 2