UODO President’s letter
Dear Ladies and Gentlemen,
Today on 25 May 2018, we begin to apply the provisions of the EU General Data Protection Regulation, that is the GDPR. Thus the two-year’s long adjustment period, in which everyone obliged to apply its provisions should start acting in a way fully compliant with those provisions, terminates.
This day is a perfect occasion to share with you some reflections on the future of the Polish personal data protection system.
The new data protection system is based on the provisions of the European Regulation, and hence it is directly applicable in all Member States of the European Union. Whereas the provisions of the Directive 95/46/EC become history and so do the provisions of the Act on Personal Data Protection of 1997 implementing the mentioned Directive in the Polish legal order, which for the last 20 years have been the ground of activity of the Inspector General for Personal Data Protection. The experience of the Office and everyone who has so far dealt with this subject matter, both in theory and practice, - and so the representatives of the science world, controllers, administrators of information security and everyone for whom the issues of personal data protection and the right to privacy are of interest, will allow for an efficient application of the new provisions and ensure execution of the objectives of the Regulation. For the data protection authority, it is a priceless asset which will be managed with due care as so far.
I would like to sincerely thank everyone for 20 years of work for the benefit of personal data protection.
The new law, which will regulate in a uniform way the rights of all persons staying in the territory of the European Union and the obligations of the entities collecting and using their personal data, shall better respond to the needs and challenges of the 21st century. For it establishes new data protection mechanisms and gives the same new rights to supervisory authorities to execute activity compliant with the law.
The first meeting of the European Data Protection Board, the body bringing together the heads of all EU data protection authorities, held today in Brussels reminds of that European dimension of the GDPR. One of the EDBP tasks will be to ensure the consistent application of the new law.
It is worth recalling once again that the new regulation applies to everyone. Its provisions have to be applied by the entities collecting and using personal data in connection with gainful activity, professional activity, and execution of public tasks or statutory objectives. So, they have to be observed by large corporations – e.g. insurance companies or financial institutions – and by all the authorities, educational institutions, health care institutions and NGOs, and online shops, and finally by small family enterprises, such as motor works or boarding houses.
For the last 20 years, the reality has changed dramatically. Many threats to privacy, which we encounter every day, did simply not exist. Mobile telephony, mobile Internet, social networking sites or the Internet are just the four most visible symbols of those changes. The increasing globalisation and digitisation are among the reasons, for which the reform of our data protection system has become essential.
The new law is intended to ensure high level of data protection and makes the legal mechanisms more flexible, as it departs from detailed regulation of some issues at the level of legislative acts. It determines the objectives to be achieved. It can be, however, done in a way adapted to the specificity of one’s activity.
Meeting specific standards of the GDPR will require from controllers responsibility, creativity and independence, as well as everyday reflection on how to make personal data protection a part of management of the institution, and not just a formal obligation. At the same time, it will be essential as well to raise awareness of employees.
I am aware of the fact that at the beginning all these activities may cause difficulties. I believe, however, that, in the long term, making this effort will be beneficial, and may even be the source of savings in the future. The Office is ready to support controllers in the implementation of this challenge.
Regulating the processes of personal data processing, which have now become a „driving force” of the economy, and developing a model for the management of all the information may be the source of clearly visible competitive advantage and the basis for building the right image in the eyes of the customers and contractors.
It is also worth realising that the GDPR entails also tangible benefits and new rights for each of us. First of all, it increases our control over who and what does with our personal data. For everyone who is processing our data will have to inform us - using a clear, plane and intelligible language - inter alia about what our data, on what ground, for what purpose and how long will be used, and what rights do we have in connection with this. In case of loss of control over our data, we will be informed about this as well.
This way we will also get peace of mind, as today some people are concerned about the fact that some entity has their data, and in fact it results e.g. from the legal obligations imposed on that entity, and not from our consent which we have carelessly or unknowingly given. Often we do not know about it, since we are simply not sufficiently informed about it. Now things will be different.
The new solutions, as for example „the right to be forgotten” or „the right to data portability”, will surely contribute to better protection of our privacy.
The strong and independent supervisory authority – the President of the Personal Data Protection Office – will ensure the exercise of these rights and obligations, whereas it will be equipped with the tools necessary for this.
As regards the above tools, penalties are of course the main areas of concern. However, I would like to emphasise that it is one of many mechanisms of ensuring compliance with the law which will be used by the supervisory authority just as all other rights granted to it. The provisions of the GDPR specify many different factors which we will take into account when making a decision on imposing a fine and on its amount.
Dear Ladies and Gentlemen, today we start to act in the new, reformed reality. I am confident that we all will make every effort to best perform the task of proper protection of privacy in these new circumstances.