The Polish Data Protection Authority (PUODO) has recently published its new sectoral inspection plan for 2024. Every year, the authority indicates which business sectors or specific processing operations will be subject to increased regulatory scrutiny and potential enforcement for failure to comply. This year, the plan includes three points, one of which relates to public authorities processing personal data in the Schengen Information System (SIS) and Visa Information System (VIS). However, the other two points of the plan are relevant to businesses across all sectors in the private sector.
1. Personal data processing through web applications
The list includes entities processing personal data using Internet (web) applications. The PUODO specifies that it will verify the method of securing and sharing personal data processed in connection with the use of these web applications.
A web application is any software that runs via a web browser. It is difficult to imagine a business in 2024 which does not use any web apps. Web applications are used by businesses across various domains to manage operations, communication, sales, and much more. They often play a crucial role in the digital infrastructure of modern businesses, enabling them to be more efficient and customer focused. Here are some examples of commonly used web applications for various use cases:
- Communication and video conferencing (e.g., Zoom, Microsoft Teams, Webex, Slack),
- Document management and storage (e.g., Google Drive, Dropbox, Evernote Business),
- Customer relationship management (e.g., Salesforce, Microsoft Dynamics, Pipedrive).
The PUODO’s plan includes not only manufacturers of web apps but also all entities processing personal data via such web apps, making the scope of the plan very broad.
2. Privacy notices - transparency obligations
The Polish regulator will also focus this year on verifying the correct fulfilment of information obligations by private sector entities.
Under the GDPR, a data controller must provide data subjects with a privacy notice setting out how the individual’s personal data will be processed. The privacy notice must contain the enhanced transparency information. Article 12 of the GDPR provides general rules on transparency, whereas Articles 13 and 14 of the GDPR set out specific information which needs to be provided to data subjects where data is collected directly from them or from third parties.
This point of the PUODO’s inspection plan, in practice, covers all private sector businesses, regardless of the industry they operate in. All controllers need to comply with the GDPR transparency obligations, and all businesses use various privacy notices tailored to their processing operations.
Comment
Looking at the inspection plans published by the PUODO in the last few years, we can see that the regulator’s approach has clearly shifted towards very broad categories of processing operations across all sectors, making most private businesses open to inspection by the PUODO under the sectoral inspection plan this year.
The new inspection plan could therefore affect all businesses in Poland who will need to double down on their compliance in order to avoid enforcement.
Next steps
Businesses operating in Poland should take stock and assess the GDPR compliance of their privacy notices and their use of web applications.
By Szymon Sieniewicz, Head of TMT/IP, Linklaters Warsaw