June 09, 2015
On 1 January 2015 an amendment to the Polish Personal Data Protection Act entered into effect. This amendment imposes new obligations on entities in regards to the processing of personal data and specifies in detail the function of the Information Security Administrator.
Is it obligatory to appoint the Information Security Administrator?
It is not obligatory to appoint the Information Security Administrator in a company. If the Information Security Administrator is appointed, then he should be registered with the General Inspector for the Protection of Personal Data (GIODO) within 30 days. Information Security Administrators which were appointed before 1 January 2015, have to be registered with the GIODO till 30 June 2015, otherwise they will not be able to continue with their duties.
What are the responsibilities of the Information Security Administrator?
The Information Security Administrator’s main responsibilities is:
What are the advantages of appointing the Information Security Administrator?
If the Information Security Administrator has been appointed and he maintains a registry of processed personal data, there is no obligation anymore to register with the GIODO any registries concerning personal data, which is not sensitive. Those already registered, do not need to be further updated.
If the Information Security Administrator is not appointed, then his responsibilities are done directly by the Personal Data Controller, who is then subject to full legal liability, including criminal liability, for the processing of personal data. All registries of processed personal data, even those including only non-sensitive information, have to be registered with the GIODO.
Who can be the Information Security Administrator?
The Information Security Administrator can be a person, who possesses specialist knowledge in the field of personal data protection, has full legal capacity and retains all public rights, and was not sentenced for committing an intentional crime.
The Information Security Administrator has to be independent in the company’s structure and be subject directly to the management board of the company.
It is also possible to outsource the functions of the Information Security Administrator.
Is it obligatory to appoint the Information Security Administrator?
It is not obligatory to appoint the Information Security Administrator in a company. If the Information Security Administrator is appointed, then he should be registered with the General Inspector for the Protection of Personal Data (GIODO) within 30 days. Information Security Administrators which were appointed before 1 January 2015, have to be registered with the GIODO till 30 June 2015, otherwise they will not be able to continue with their duties.
What are the responsibilities of the Information Security Administrator?
The Information Security Administrator’s main responsibilities is:
- to oversee the processing of personal data and to prepare reports regarding this issue to the Personal Data Controller (which in most cases is your company),
- to prepare reports on the GIODO’s requests,
- to maintain a registry of processed personal data, with the exception of the sensitive information, that is data concerning, for instance, someone’s health.
What are the advantages of appointing the Information Security Administrator?
If the Information Security Administrator has been appointed and he maintains a registry of processed personal data, there is no obligation anymore to register with the GIODO any registries concerning personal data, which is not sensitive. Those already registered, do not need to be further updated.
If the Information Security Administrator is not appointed, then his responsibilities are done directly by the Personal Data Controller, who is then subject to full legal liability, including criminal liability, for the processing of personal data. All registries of processed personal data, even those including only non-sensitive information, have to be registered with the GIODO.
Who can be the Information Security Administrator?
The Information Security Administrator can be a person, who possesses specialist knowledge in the field of personal data protection, has full legal capacity and retains all public rights, and was not sentenced for committing an intentional crime.
The Information Security Administrator has to be independent in the company’s structure and be subject directly to the management board of the company.
It is also possible to outsource the functions of the Information Security Administrator.
About the Author
Founder and Managing Partner
phone: +48 602 352 580
Read also
May 30, 2023
Ważne zmiany w ustawie o ochronie konkurencji i konsumentów...
W dniu 20 maja 2023 r. weszły w życie zmiany w ustawie o ochronie konkurencji i konsumentów wynikające z implementacji dyrektywy ECN+ (dyrektywa...
Read more
May 30, 2023
Important changes to the competition law in Poland...
On 20 May 2023 important changes to the Competition and Consumer Protection Law in Poland entered into force as a result of implementation of...
Read more
April 26, 2023
Further amendments to the Labour Code – implementation...
Amendments to the Labour Code which implement two EU directives into the Polish legal system - one on transparent and predictable working conditions...
Read more