Polish companies that are part of international capital groups often adopt documentation, procedures and records of personal data processing that are globally applicable throughout the group.
Such an approach often raises problems in light of the requirements of the GDPR and, instead of easing the company’s task of achieving compliance with the regulation, may expose the company to liability for breaches, including heavy fines. The upper limit of the penalties is the equivalent of €10 or 20 million or 2% or 4% of the annual worldwide turnover of the previous financial year, depending on, among other things, the type, severity and impact of the breach.
What can a supervisory authority question in relation to the adoption of globally applicable solutions and documentation at group level but without taking into account the context for a Polish controller?
The main areas where the risk of non-compliance may arise are:
1. information obligations,
2. register of personal data processing activities,
3. an agreement on the entrustment of the processing of personal data,
4. retention periods,
5. data protection officer.
Each time a Polish company acts as a controller, it should apply the model information clauses adopted at group level to the individual context in which it processes personal data and the way in which the data is processed.
Similarly to the information clauses, the register of processing operations is to be adjusted to the realities of the processing of personal data by a specific controller. This means that a Polish company processing data locally should, as a rule, complete the register on its own.
If a Polish company uses its own processors (e.g. a local accounting and bookkeeping office, an IT or archiving company), it is required to enter into agreements on the entrustment of the processing of personal data with them in accordance with the requirements of the GDPR.
Retention periods for personal data may result from national legislation, e.g. for accounting or employee records. It is very likely that the implementation of the GDPR on a global level does not take into account Polish data retention provisions.
A corporate group may appoint a data protection officer (DPO) for several companies, but the person performing this important function should be familiar with the context and specificity of the processing of personal data by the Polish company and be familiar with the practice of the Polish supervisory authority. Otherwise, the appointment of a global DPO to perform the function of DPO also in a Polish company may be purely formal and not meet the requirements of the GDPR. In order to minimise the above risks of non-compliance with the GDPR, a Polish company which is part of a multinational group should at least verify and supplement the personal data protection documentation introduced at the group level, taking into account the specific nature of its activity and the local context of data processing. Such action may protect it from imposition of a severe fine.
The author of the article is adv. Michał Kalata, the text was published in Poland Weekly on 10 August 2022.