On 1 January 2015 an amendment to the Polish Personal Data Protection Act entered into effect. This amendment imposes new obligations on entities in regards to the processing of personal data and specifies in detail the function of the Information Security Administrator.
Is it obligatory to appoint the Information Security Administrator?
It is not obligatory to appoint the Information Security Administrator in a company. If the Information Security Administrator is appointed, then he should be registered with the General Inspector for the Protection of Personal Data (GIODO) within 30 days. Information Security Administrators which were appointed before 1 January 2015, have to be registered with the GIODO till 30 June 2015, otherwise they will not be able to continue with their duties.
What are the responsibilities of the Information Security Administrator?
The Information Security Administrator’s main responsibilities is:
What are the advantages of appointing the Information Security Administrator?
- to oversee the processing of personal data and to prepare reports regarding this issue to the Personal Data Controller (which in most cases is your company),
- to prepare reports on the GIODO’s requests,
- to maintain a registry of processed personal data, with the exception of the sensitive information, that is data concerning, for instance, someone’s health.
If the Information Security Administrator has been appointed and he maintains a registry of processed personal data, there is no obligation anymore to register with the GIODO any registries concerning personal data, which is not sensitive. Those already registered, do not need to be further updated.
If the Information Security Administrator is not appointed, then his responsibilities are done directly by the Personal Data Controller, who is then subject to full legal liability, including criminal liability, for the processing of personal data. All registries of processed personal data, even those including only non-sensitive information, have to be registered with the GIODO.
Who can be the Information Security Administrator?
The Information Security Administrator can be a person, who possesses specialist knowledge in the field of personal data protection, has full legal capacity and retains all public rights, and was not sentenced for committing an intentional crime.
The Information Security Administrator has to be independent in the company’s structure and be subject directly to the management board of the company.
It is also possible to outsource the functions of the Information Security Administrator.