Notifying the President of the Personal Data Protection Office of designation of a DPO
Notification to the President of the Personal Data Protection Office of designation/change/dismissal of a Data Protection Officer and Deputy Data Protection Officer
WHEN IS THE CONTROLLER UNDER OBLIGATION TO DESIGNATE A DATA PROTECTION OFFICER?
The General Data Protection Regulation (2016/679) in its Art. 37 (1) envisages the obligation to designate a Data Protection Officer for controllers and processors where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
Public authorities and bodies obliged to designate a DPO referred to in Art. 37(1)(a) of the Regulation 2016/679, shall mean the entities of the public finance sector (e.g. local government authorities, public universities), research institutes and the National Bank of Poland (Art. 9 of the Act of 10 May 2018 on the Protection of Personal Data).
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Art. 9 and personal data relating to criminal convictions and offences referred to in Art. 10 of the Regulation 2016/679.
In interpreting the concepts used in Art. 37(1)(b) and (c) of the Regulation 2016/679 (“core activities”, “regular and systematic monitoring” and “on a large scale”) the recitals of the GDPR as well as the Guidelines on Data Protection Officers, issued by Article 29 Working Party, might be helpful.
IS THE CONTROLLER OR THE PROCESSOR OBLIGED TO DESIGNATE A DEPUTY DPO?
No, there is no such obligation. However, since 4 May 2019, according to the Act of 10 May 2018 on the Protection of Personal Data (with amendments), the controllers can designate a person replacing the officer during his or her absence (Art. 11a(1)), considering the criteria referred to in Art. 37(5) and (6) of the Regulation 2016/679.
HOW TO NOTIFY THE SUPERVISORY AUTHORITY OF THE DESIGNATION/CHANGE/DISMISSAL OF A DATA PROTECTION OFFICER AND DEPUTY DATA PROTECTION OFFICER?
The only correct and effective manner of notifying about designation/change of data/dismissal of the DPO is a notification in electronic form, affixed with a qualified electronic signature or a signature confirmed by a trusted ePUAP profile (according to Art. 10(6) of the Act of 10 May 2018 on the Protection of Personal Data, hereinafter: the Act).
The notification is to be sent using one of the below mentioned services of the biznes.gov.pl website (available in Polish only), i.e.:
- Designation of a new Data Protection Officer
- Change of contact data of current Data Protection Officer
- Dismissal of the so far Data Protection Officer
- Dismissal of the so far Data Protection Officer and designation of new Data Protection Officer
Notifications effectively delivered to the Personal Data Protection Office are being confirmed by the Official Submission Proof (Urzędowe Poświadczenie Przedłożenia, UPP: generated by biznes.gov.pl in the form of a UPP.xml file) and by an e-mail, automatically sent to the address provided upon creating the account.
According to Art. 11a of the Act, “the entity which has designated an officer can designate a person replacing the officer during his or her absence […]”.
The notification to the President of the Personal Data Protection Office about the designation of Deputy DPO is made in the mode laid down in the Art. 10 of the Act (Art. 11a(3) of the Act), which states that the only correct and effective manner of notifying on the designation/change of data/dismissal of Deputy DPO is filling out the relevant questionnaire:
- Designation of a new Deputy Data Protection Officer
- Change of contact data of current Deputy Data Protection Officer
- Dismissal of the so far Deputy Data Protection Officer
- Dismissal of the so far Deputy Data Protection Officer and designation of new Deputy Data Protection Officer
and sending it as an attachment in electronic form by means of a general ePUAP letter. The title of the letter shall reflect the title of the form.
Notifications effectively delivered to the Personal Data Protection Office are confirmed by the Official Submission Proof (Urzędowe Poświadczenie Przedłożenia: generated by epuap.gov.pl in the form of a UPP.xml file).
In case of technical problems with completing the notification, technical support shall be contacted:
- platform biznes.gov.pl (https://www.biznes.gov.pl/en/help-centre) kept by the Ministry of Entrepreneurship and Technology,
- ePUAP users support centre (https://epuap.gov.pl/wps/portal/strefa-klienta/pomoc - service available in Polish) in Centralny Ośrodek Informatyki (IT Centre under the Ministry of Digital Affairs).
NB: please, remember that notifications must be sent in Polish.
WHAT IS THE DEADLINE FOR NOTIFYING THE SUPERVISORY AUTHORITY OF DESIGNATION OF A DPO OR DEPUTY DPO?
The controller or processor shall notify the President of the Personal Data Protection Office about the designation of DPO within 14 days of the day of the designation (Art. 10 (1) and (4) and Art. 11a (3) of the Act).
CAN THE NOTIFICATION ABOUT THE DESIGNATION/CHANGE/DISMISSAL OF A DPO BE MADE BY AN AUTHORIZED REPRESENTATIVE OF THE CONTROLLER?
The notification can be made by an authorized representative both in case of appointment of a DPO and deputy DPO (Art. 10 (2) and Art. 11a (3) of the Act).
A power of attorney shall be granted in electronic form and attached to the notification (Art. 10 (2) the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws, item 1000 with amendments).
The power of attorney in electronic form is e.g. a document in DOC format bearing a signature confirmed by ePUAP trusted profile or qualified electronic signature by persons authorized to represent the controller/processor.
NB: A scanned document bearing hand signature will not be considered as the correct form of power of attorney.
Stamp duty shall be paid at the cash desk of Urząd Dzielnicy Śródmieście m. st. Warszawy or to the bank account of Urząd Dzielnicy Śródmieście m. st. Warszawy, ul. Nowogrodzka 43, 00 – 691 Warszawa: 60 1030 1508 0000 0005 5001 0038.
The title of payment should contain, along with the wording – opłata skarbowa za pełnomocnictwo [stamp duty for the power of attorney] - the abbreviation “PUODO”. The confirmation of payment shall be sent to the Personal Data Protection Office as an enclosure to the form.
If the power of attorney granted for the benefit of a spouse, relative in the ascending line, relative in the descending line, brother or sister is filed in the proceedings before the President of the Office, it is not subject to the requirement of paying a stamp duty.
CAN A FOREIGNER BE A DPO OR DEPUTY DPO?
The function of the Data Protection Officer or Deputy Data Protection Officer can be fulfilled in Poland by a foreigner. However, it needs to be emphasized that one of significant tasks of a DPO (and deputy DPO) is to act as the contact point for the data subjects (Art. 38 (4) of the Regulation 2016/679) and for the supervisory authority (Art. 39 (1) letter e) of the Regulation 2016/679). The Art. 29 Data Protection Working Party in its Guidelines on Data Protection Officers (p. 10) indicates that DPO „must be in a position to efficiently communicate with data subjects and cooperate with the supervisory authority concerned. This also means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned.”
In consequence, it needs to be stated that the controller is obliged to ensure smooth and efficient communication in Polish between a DPO and a supervisory authority and the data subjects.