3. News
  5. Poland: The DPA publishes a new plan for sectoral investigations

Poland: The DPA publishes a new plan for sectoral investigations

23 February 2024

The Polish Personal Data Protection Office has recently published a plan for sectoral investigations for 2024, which covers both public institutions and private entities. The plan is a framework for the DPA’s activities, which allows concerned entities to determine the likelihood of being investigated.

Index
  1. Private entities
  2. Public institutions
  3. Consequences

The 2024 plan for sectoral investigations has been recently published by The Polish Personal Data Protection Office (“the DPA”). It will serve as a framework for the upcoming activities of the DPA. The plan indicates groups of entities that it concerns, thus allowing interested parties to determine the likelihood of being investigated.

Private entities

Companies that process personal data via web applications make up the first group of entities that may be investigated. Contrary to websites, web apps are of interactive nature. They run in a web browser allowing their users to take certain actions, e.g., buy airplane tickets, book accommodation or execute payments. The DPA plans to check how the data processed in connection with the use of web apps is secured and made available.

Moreover all private entities, regardless of whether they do or do not use web apps, may be subject to investigation concerning their compliance with the information duty stemming from articles 13 and 14 of the GDPR.

Public institutions

The DPA will also inspect public institutions that process data in Schengen Information System (SIS) and Visa Information System (VIS). Both systems are indispensable for the proper functioning of Schengen Area. SIS allows Schengen countries to share information in order to ensure border security, compensating for the lack of physical border controls. VIS on the other hand allows Schengen countries to exchange visa data and supports visa-related processes. The DPA will check whether processing of data obtained via SIS/VIS occurs in accordance with the provisions of the Act on the participation of the Republic of Poland in the Schengen Information System and the Visa Information System, as well as executive acts and EU regulations.

Consequences

If the DPA finds that the investigated entity infringes regulations, it may impose a penalty of up to 20 million euros or 4% of company's annual turnover, depending on the type of violation. It must be emphasized that the DPA rarely takes action that goes beyond its annual plan. Thus, the plan is an important indicator of what may be expected from the DPA this year.  

 

Authored by Ewa Kacperek and Wiktoria Kossakowska-Wojdaszka.

Contacts
Ewa Kacperek
Counsel
Warsaw
Index
  1. Private entities
  2. Public institutions
  3. Consequences
Keywords Data protection, GDPR Article 13, GDPR Article 14, Data Protection Authority investigation, information duty
Languages English
Topics Privacy
Countries Poland

 

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.

Thomson Reuters HighQ Logo
© 2024 Hogan Lovells | Privacy Policy | Terms of Service