Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Poland: UODO provides guide on new children's data protection standards
On August 14, 2024, the Polish data protection authority (UODO) provided guidance on the adoption and implementation of the 2023 amendments to the Act on Counteracting Threats of Sexual Crime (the Kamilka Act) that provides new standards for the protection of minors in alignment with the requirements of the General Data Protection Regulation (GDPR).
What is the scope of the new standards?
The UODO announced that the new obligations apply to bodies managing education system units (kindergartens, schools, and youth hostels) and other educational, care, resocialization, religious, artistic, medical, recreational, sports, or interest-related facilities attended or where minors stay, as well as organizers of these activities and entities providing hotel and tourist services or running other collective accommodation facilities. The new standards also apply to guardians.
What should data controllers consider when applying the new standards?
In dealing with the amendments to the Kamilka Act, the UODO suggested that administrators pay attention to the following:
- conducting a risk analysis for the processing of personal data, verifying current data protection policies, and reviewing methods of implementing the GDPR obligations; and
- adopting solutions that take into account data protection by design and default in the design phase when using methods for processing data that meet the new standards.
What do the new standards require to be verified and updated?
- Categories of persons whose data is processed and the scope of collected and processed personal data;
- information obligation clauses;
- information obligations towards all persons from whom data will be obtained;
- authorization granted to designated persons who have access to personal data and are responsible for carrying out tasks arising from the new standards and verifying the methods of transmitting the administrator's instructions;
- verification of the channels of flow/circulation of personal data and the tools used;
- ensuring that the established methods of data processing are known to the designated persons and are understandable to them;
- documents (traditional or electronic form) and how they are to be processed to implement the new standards;
- obligations of the controller to the data subjects in line with the new standards, including in the scope of documentation kept, particularly relating to children, their parents/statutory representatives, the facility's wards, clients, employees, and job candidates; and
- verifying and updating solutions, including documentation regarding recording processing activities and the procedure for reporting breaches.
What are the roles and concerns of the data protection officer (DPO) in meeting the new standards?
- Conducting a risk analysis before implementing technical and organizational security procedures;
- updating information clauses when changing the data that is to be processed;
- places for talking with children must ensure confidentiality;
- that data should be anonymized or pseudonymized to minimize the risk of identifying individuals;
- granting access to data only to people whose scope of duties justifies it and adapting access authorizations in the IT system to match;
- regularly checking the validity of authorizations granted;
- ensuring the security of equipment and devices used;
- having strong password policies;
- that if the standard requires that certain documents be kept in personal files, they should be kept in another location where only authorized persons have access to them; and
- concluding data processing agreements if entrusting certain data operations (e.g., data storage) outside of the organization.
Finally, the UODO mentioned that the new standards will begin to apply from August 15, 2024.
You can read the press release, only available in Polish, here.