GDPR comes into force – shall we be afraid of the inspection?

Here comes that day – since today the provisions of the Regulation of the European Parliament and Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and on repealing the directive 95/46/EC (also commonly known as GDPR) come into force. The object of GDPR is among others to normalize the rules concerning the processing of personal data within the European Union, what arises from the principle of direct effect of such legal acts in each and every Member State – without the necessity of their implementation at the domestic legislation level. Notwithstanding the above, GDPR exacts however the legislative adjustment of existing legal acts to the new regulations. We know now that Parliament managed to pass the new act on the protection of personal data and the President of the Republic of Poland signed this act only three days ago. Nevertheless, the necessary changes shall still involve the wide scope of another several dozen legal acts. However, if these two basic legal acts came into the force – shall we be afraid of the inspection?            

We are pleased to inform that the Clients of our Law Firm who contracted out the extensive implementation concerning the procedures involving the protection of personal data are fully prepared for the operation of GDPR. On the other hand, it is still not too late for the entrepreneurs who missed the two-year period between the act’s entry into force and the day in which it shall begin to apply. It shall be pointed out that the GDPR’s regulations are mainly of the preventive nature. They aim at mobilizing every personal data administrator to specify it individually which measures shall be undertaken in order to protect the personal data effectively (so-called risk-based approach).

Besides, GDPR implements the principle of accountability. It means that in the event of possible inspection every personal data administrator shall be obliged to prove before the President of the Personal Data Protection Authority whether and which safety measures were applied. The supervisory organ has the role to verify if GDPR’s regulations are respected, especially within the scope of the fulfillment of all obligations imposed on the personal data administrator and the safety measures concerning the personal data.

Answering the above question whether we shall be afraid of the inspection in relation to the entry of GDPR into force – it shall be pointed out that one of the basic tasks of the Personal Data Protection Authority is to monitor and enforce the application of GDPR. Within the scope of execution of this task, the supervisory body is authorized to carry out proceedings in the form of audit concerning the data protection (article 57.1.a) and article 58.1.b) GDPR). However, it does not change the fact that in light of other provisions of the Regulation (especially article 33 GDPR which imposes an obligation on the personal data administrator to notify every incident concerning the breach of the personal data protection within 72 hours since its ascertainment) the possible control procedures, as a rule, shall be rather of the consecutive nature.         

Finally, the last issue shall be mentioned. In the course of possible inspection, the supervisory body shall not investigate the date in which the personal data administrator implemented the above procedures – unless it has an association with the specific incident concerning the breach of personal data protection. Consequently, all of the “latecomers” have still the possibility to take the appropriate actions in order to sleep peacefully – like our Client Startit Fund sp. z o.o. who decided to mark the services of our Law Firm via the reference letter, so today we are greatly honored to boast of it.             

Attorney-at-Law Trainee Mariusz Maksis