On 24 January 2019, the Personal Data Protection Office (UODO) published a sectoral inspection schedule for 2019. According to the schedule, as approved by UODO’s President, the inspections will aim at verifying the legitimacy of personal data processing in the following private sectors: telemarketing, data brokers (as regards legal grounds for personal data processing) and profiling in the banking and insurance sector.

As for the public sector, the supervisory authority will investigate:

  • Municipal surveillance systems (a continuation of the inspections commenced back in 2018)
  • Waste identification and monitoring systems
  • The manner in which registers of housing cooperatives’ members are kept and secured
  • Disclosure of data in the Public Information Bulletin (BIP)
  • The manner in which the correspondence containing personal information is mailed out.

Inspectors will also check whether controllers keep registers of processing operations and if they document data breaches.

According to the schedule, inspectors will not avoid courts and law enforcement agencies. Police, Polish Border Guard and detention wards should expect inspections focusing on technical and organisational measures implemented in order to secure personal data for processing. In addition, UODO shall control schools and educational establishments (especially in the context of processing of personal data collected via surveillance cameras), employers (in the contexts of employee surveillance and recruitment process), healthcare providers (with regard to disclosing medical records, thus exercising the patients’ right to access the medical records concerning their health and healthcare services rendered to them).

The audits that the regulator plans to conduct in 2019 are motivated by numerous complaints and notifications filed with the UODO, regarding personal data protection laws infringement in the above mentioned areas of activity.

Although the Polish regulator has, so far, taken a rather lenient approach towards controllers (with no fines under GDPR having been imposed to date), 2019 is expected to be the year when this will change, and fines will ensue.

Detailed plan of sectoral controls for 2019 can be found on the UODO website.