The Ministry of Digitalization has published a document that addresses 641 comments made during the public consultations on a package of legislative changes, implementing the General Data Protection Regulation (GDPR). An attempt to discuss the most significant remarks were made during a conference held on January 15th of this year in the Sejm (the lower house of the Polish Parliament). Which of the comments submitted were included by the legislator and which were rejected? It is worth taking a closer look at some of the issues discussed.
Undoubtedly, the issue of concern was the system position of the new authority – President of the Office for Personal Data Protection (PUODO) – in particular, the method of its appointment, scope of competence, single-instance proceedings or judicial and administrative model of decision control. Without a doubt, it is worth presenting the last two aspects in more detail.
According to the draft on personal data protection, the decisions issued by PUODO will be subject to complaint to the administrative court (Chapter 5, Article 44 et seq.). Many of the entities involved in the consultations drew attention to the problem related to the cognition of administrative courts, which is reduced to controlling the legality – not appropriateness – of administrative decisions. There were also doubts as to the compatibility of such a solution with art. 78 of the Constitution of the Republic of Poland, i.e. the right of appeal.
As an alternative to the model adopted in the draft, it was suggested to base the proceedings before the PUODO on civil procedure – analogically as in the case of appeal proceedings against decisions issued by the President of the Office of Competition and Consumer Protection (UOKiK) or the President of the Office of Electronic Communications (UKE), where the competent court is a common court (the District Court in Warsaw – Consumer and Competition Court; former Anti-Trust Court).
However, the above-mentioned arguments did not receive support from the legislator. It has been pointed out that administrative courts also have experience in dealing with matters relating to the protection of personal data. The Province Administrative Court in Warsaw (WSA) was mentioned as an example. WSA has already begun the practice of issuing rulings and hired experts. As a result, according to the legislator, the administrative model of decision control is justified in this case.
Work on the draft is still being continued. After finishing the discussion on the PUODO, the Ministry of Digitalization committed itself to reconsidering the single-instance nature of the proceedings. Within two months, the draft should be submitted to the Sejm. An equally significant issue as the work on the act itself – and perhaps even more important, especially at the initial stage of the validity of the GDPR – are the implementing and transitional provisions. In accordance with the statement presented during the conference, those provisions will be included in a separate legal act.