New guidance from the Polish DPA: a warning for all Safe Habor (ex)participants

The Polish DPA has recently issued a statement to the effect that all companies which previously relied on Safe Harbor program must be able to demonstrate a valid legal basis – as set out in the Polish Data Protection Act – to legally transfer personal data to the USA.

In the view of the DPA, the ‘grace period’ (lasting until the end of January 2016) mentioned in the recent statement of the A29 Working Party does not allow data controllers to transfer personal data to the USA without meeting at least one of the legal prerequisites set out in the Polish Data Protection Act (i.e. consent, performance of a contract, etc.)

The ‘grace period’, in the opinion of the Polish DPA, should be treated as the maximum point in time until which the data protection authorities of the Member States, as a rule, will not initiate steps to enforce implementation of the Schrems’ judgment.

Concluding, the DPA states that if it receives a complaint from a data subject, administrative proceedings will be initiated to discover if the legal prerequisites were met. If the data controller is unable to show valid grounds for transfer, the transfer will be deemed illegal.

What may happen ?

In that case the DPA has certain measures available under Polish law, including issuing a prohibition order to stop data transfer or filing a motion to the public prosecutor to start a criminal investigation into such illegal disclosure of data.

Our recommendation

We recommend that data controllers implement data transfer agreements based on standard contractual clauses as soon as possible, as Polish law recognizes this approach as providing a lawful instrument to cover data transfers.