GDPR Article 57 lists the tasks that the GDPR imposes on the supervisory authority
Performance of Tasks by the Supervisory Authority
The supervisory authority in Poland is the President of the Office for Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych - "PUODO").
Article 57 presents in paragraph 1(a-u) a long list of tasks performed by the supervisory authority. With reference to the implementation of these tasks, it is worth pointing out that:
PUODO regularly shares knowledge via its website, thereby spreading awareness among controllers and processors of their obligations under the GDPR (as referred to in GDPR Article 57(1)(d));
PUODO’s list related to the requirement to perform a data protection impact assessment under GDPR Article 35(4) (as referred to in GDPR Article 57(1)(k)) is available here (in Polish);
Information on PUODO-approved codes of conduct (referred to in GDPR Article 57(1)(m)) is available here (in Polish);
The criteria for the accreditation of code of conduct monitors (referred to in GDPR Article 57(1)(p)) are described here (in Polish).
Supervisory authority in Poland - news
On 16 January 2025, PUODO has published its sectorial audit plan for 2025.
The main areas that PUODO will audit in 2025 include the security of medical data and the security of the processing of children's personal data. As PUODO points out on its websiteNote, the link will open in a new window, the plan includes sectors with increasing threats of data protection breaches and areas of high public interest.
UODO’s sector control plan for 2025 is as follows:
Authorities that process personal data in the European Union Large Scale Systems, including the processing of SIS/VIS personal data on the basis of the provisions of the Act of 24 August 2007 on the Participation of the Republic of Poland in the Schengen Information System and the Visa Information System (Journal of Laws of 2023, item 1355, as amended), executive acts and European Union regulations).
Entities that process health data - how to ensure the security of personal data.
Entities that process children's data - processing of children's images where consent from parents or legal guardians is required.
Data controllers - implementing the obligation under Article 33(5) of Regulation 2016/679 to document any personal data protection breaches, including the circumstances of the personal data protection breach, its impact and the remedial measures taken.
The implementation of the obligation under GDPR Article 33(5) is also included in the audit plan - we write about controllers’ obligations in this regard in the commentary to Article 33. Controllers should therefore verify that they keep an adequate record of violations and that it contains all the elements required under the GDPR.
Commentary to Article 57
Tasks
Performance of Tasks by the Supervisory Authority
The supervisory authority in Poland is the President of the Office for Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych - "PUODO").
Article 57 presents in paragraph 1(a-u) a long list of tasks performed by the supervisory authority. With reference to the implementation of these tasks, it is worth pointing out that:
Supervisory authority in Poland - news
On 16 January 2025, PUODO has published its sectorial audit plan for 2025.
The main areas that PUODO will audit in 2025 include the security of medical data and the security of the processing of children's personal data. As PUODO points out on its websiteNote, the link will open in a new window, the plan includes sectors with increasing threats of data protection breaches and areas of high public interest.
The implementation of the obligation under GDPR Article 33(5) is also included in the audit plan - we write about controllers’ obligations in this regard in the commentary to Article 33. Controllers should therefore verify that they keep an adequate record of violations and that it contains all the elements required under the GDPR.