2019 sectoral inspection plan of the Polish Personal Data Protection Office

​The Polish body responsible for compliance with the GDPR (the President of the Personal Data Protection Office – PDPO) published on 24 January a plan of inspections of personal data processing in certain sectors of the Polish economy.

In 2019, the inspectors will focus on the public sector, law enforcement and courts, healthcare, recruitment and education, as well as the private sector.

In the public sector, inspectors may look into CCTV monitoring in cities, data disclosures by public authorities, how the authorities keep records of data processing activities and how they document data protection breaches.

As regards the law enforcement and courts, inspectors may look into to the work of Police, Border Guard, detention centres and entities authorised to access SIS/VIS systems.

In the healthcare, recruitment and education sectors, inspector may visit schools and other education establishments (to check CCTV surveillance and recruitment) as well as healthcare establishments (to check the disclosure of medical documentation).

In the private sector, inspections will focus on telemarketing businesses and data brokers (in respect of the legal grounds for data processing) as well as banks and insurance companies (in respect of profiling).

The inspection plan shows that the Polish supervision authority will deal with issues that spark the biggest controversies, such as video surveillance and recruitment.

The inspection plan has been designed in response to numerous signals (including complaints, enquiries and reported breaches of personal data regulations) of threats to the personal data protection in the above areas.

From the point of view of businesses, the most important are potential inspections of video surveillance and recruitment procedures among employers. The GDPR does not regulate these issues comprehensively and significant aspects have been refined in Polish laws, including the Labour Code and implementing regulations. Polish lawmakers are soon going to pass a new statute amending several acts in connection with the GDPR, also in respect of the above issues.

The regulations on inspections are set out in the Polish Personal Data Protection Act of 10 May 2008. Inspections follow the inspection plan, but are also carried out in response to reports received by the PDPO president or as part of the GDPR compliance monitoring.

Inspectors have the right to:

• access land, buildings, premises and other space from 6:00 to 22:00;
• check documents and information directly related to the subject matter of the inspection;
• check sites, things, devices, carriers as well as IT or ICT systems used for data processing;
• request written or oral explanations and interview individuals as witnesses to determine the facts and circumstances;
• commission expert analyses and opinions.

Importantly, any attempts to hinder the inspections are treated as crimes subject to penalty in Poland. Therefore, PDPO’s inspections should be taken seriously.