Due to an increased public interest in the Instruction on the practical implementation of the supervisory activity of the Personal Data Protection Commission, the Commission informed data controllers and processors that it published here.
The Instruction is an internal document adopted on the basis of Article 12(10) of the Personal Data Protection Act by a decision of the CPDP of 29 May 2020 (Protocol No 23/2020), as amended and supplemented by a decision of 24 June 2021 (Protocol No 27/2021). By establishing the methodology for carrying out different types of inspections (sectorial inspections, joint inspections with other supervisory authorities, prior consultation, etc.), the Instruction aims to establish uniform rules and a single approach in the conduct of the supervisory activities by the CPDP and its administration.
As an appendix to the Instruction, the Commission has adopted a Methodology for determining the level of risk of personal data breaches and a Questionnaire on the conduct of CPDP supervision activities. The methodology is an important tool in the activity of the supervisory authority when dealing with personal data breach notifications submitted on the basis of Article 33 of Regulation (EU) 2016/679 or Article 67 of the Personal Data Protection Act accordingly. Depending on the risk level assessment, the Commission decides on follow-up actions and communication with the controller affected by the breach (see Chapter Four, Section VII of the Rules of Procedure of CPDP and its administration.
The purpose of the Questionnaire on inspections in the performance of the supervisory activity of the KZLD is to collect prior information to clarify the context of personal data processing and to facilitate the establishment of facts and circumstances relevant to the subject matter of a specific inspection. The Questionnaire is sent in advance to each controller subject to inspection.
By publishing the Instruction and the appendices thereto, the Commission aims to raise awareness of issues related to the performance of its supervisory authorities, thus contributing to the consistent application of Regulation (EU) 2016/679 and the Personal Data Protection Act. However, the Commission draws attention to the fact that these documents are purely internal in nature and do not create rights or obligations for data controllers, processors and data subjects. Knowledge (or the lack of knowledge) of the content of the published documents and/or their application (or lack of application) in the activities of a controller/processor is irrelevant to the supervisory authority’s findings on the compliance or non-compliance with data protection requirements and cannot be considered as an attenuating or aggravating circumstance in a specific case.
When developing the documents concerned, the Commission has taken into account the national and foreign experience gained in the area of control activity, the guidelines of the European Data Protection Board, the legal framework for the protection of personal data, and the minimum requirements for network and information security. The Instruction on the practical conduct of the supervisory activity of the Personal Data Protection Commission and the appendices thereto are subject to periodic updates in order to take account of existing national and European good practices and to be in line with the dynamics of the public relations which are subject to supervision.
