The President of the Polish SA has serious reservations about the register of public figures
The draft Act on the National Register of Persons Performing Certain Public Functions in its current form is inconsistent with the GDPR and needs to be amended.
The drafters of the proposed Act on the National Register of Persons Performing Certain Public Functions did not carry out an personal data protection impact assessment. As a result, it has not demonstrated the necessity of processing specific data for the achievement of the assumed purpose nor necessity to create another, in principle public register," said Mirosław Wróblewski, the President of the Personal Data Protection Office, in his comments to the draft Act. According to this draft Act, the newly created Register of Persons Performing Certain Public Functions is to process such data as: name, surname, place of residence, personal identification number (PESEL number), function, first name, surname and PESEL number of the spouse, ascending and adult descendants of the first degree and adult siblings, as well as electronic copies of property declarations.
"Such a scope of data and the methods of their processing may cause a wide range of risks to the privacy and personal data of persons performing public functions, but also third parties," points out the President of the Personal Data Protection Office.
In his comments to the draft, submitted to Dariusz Salamończyk, Deputy Head of the Chancellery of the Sejm of the Republic of Poland, the President of the Personal Data Protection Office points out that the purpose of creating this register is unspecified. The initiator of the draft Act only indicated that these solutions are to translate into transparency of public life.
The draft also lacks a definition of a public figure, and the explanatory memorandum of the draft uses the notion of a person exposed to the public, which also proves that the drafters do not use consistent and unambiguous terms.
The President of the Personal Data Protection Office also points out that the data in the register is to be entered and updated by a public figure on his/her own, after authentication. However, the draft does not specify the status of such a data uploader, and the Minister of Justice is designated as the data controller. Such provisions will make it unclear who is to be responsible for exercising the rights of data subjects, notifying breaches, data quality, or the correctness of data in the register.
Among the list of objections to the draft, the President of the Personal Data Protection Office also indicates that many of the proposed solutions are imprecise. Moreover, the proposed new regulations do not regulate the issue of securing the register and the access of various entities to its resources. It is not even known in what mode these data will be made available – whether in the application mode or without the application procedure, and under what conditions.
The President of the Personal Data Protection Office is also concerned about the period of data storage in the register, which is expected to be 8 years.
Other comments on the draft and an in-depth analysis of the proposals to which the supervisory authority has reservations can be found in the opinion of the Personal Data Protection Office, which is attached in full below.
