[co-author: Wiktoria Kossakowska-Wojdaszka]
The Polish Personal Data Protection Office has recently published a plan for sectoral investigations for 2024, which covers both public institutions and private entities. The plan is a framework for DPA’s activities, which allows concerned entities to determine the likelihood of being investigated.
The 2024 plan for sectoral investigations has been recently published by The Polish Personal Data Protection Office (“the DPA”). It will serve as a framework for the upcoming activities of the DPA. The plan indicates groups of entities that it concerns, thus allowing interested parties to determine the likelihood of being investigated.
Private entities
Companies that process personal data via web applications make up the first group of entities that may be investigated. Contrary to websites, web apps are of interactive nature. They run in a web browser allowing their users to take certain actions, e.g., buy airplane tickets, book accommodation or execute payments. The DPA plans to check how the data processed in connection with the use of web apps is secured and made available.
Moreover all private entities, regardless of whether they do or do not use web apps, may be subject to investigation concerning their compliance with the information duty stemming from articles 13 and 14 of the GDPR.
Public institutions
The DPA will also inspect public institutions that process data in Schengen Information System (SIS) and Visa Information System (VIS). Both systems are indispensable for the proper functioning of Schengen Area. SIS allows Schengen countries to share information in order to ensure border security, compensating for the lack of physical border controls. VIS on the other hand allows Schengen countries to exchange visa data and supports visa-related processes. The DPA will check whether processing of data obtained via SIS/VIS occurs in accordance with the provisions of the Act on the participation of the Republic of Poland in the Schengen Information System and the Visa Information System, as well as executive acts and EU regulations.
Consequences
If the DPA finds that the investigated entity infringes regulations, it may impose a penalty of up to 20 million euros or 4% of company's annual turnover, depending on the type of violation. It must be emphasized that the DPA rarely takes action that goes beyond its annual plan. Thus, the plan is an important indicator of what may be expected from the DPA this year.
[View source.]
