The grounds for and the course of inspections under the new personal data protection regulations
In the new Personal Data Protection Act, the legislator pays considerable attention to inspections of compliance with personal data protection laws (both the GDPR and the national industry-specific regulations). The inspection may not last longer than 30 days. It can be launched based on an inspection plan approved by the President of the Personal Data Protection Office, on the information obtained by the President or as a result of the routine monitoring of GDPR compliance. The entity that is subjected to the inspection will have to designate an authorized representative in writing.
The inspectors' rights will include, inter alia, access to the workplace being inspected between 6.00-22.00 (without a prior warning), access to all the documents and information covered in the scope of the inspection, inspecting the IT systems and interviewing as witnesses all the persons who may have information of importance in the given case. They will also have the right to interview the employees of the entity being inspected. You are required to provide conditions and means that are necessary for the inspection to be carried out efficiently. This duty encompasses, inter alia, the preparation of copies or printouts of documents that are in your possession at your own cost. If the inspectors encounter resistance while carrying out the inspection, they will be able to request the assistance of the police. The inspectors will also have the right to record the course of the inspection. The inspection will be concluded with a protocol. If you disagree with it, you will have the right to file written objections. However, the response to the objections could include further inspection. A good solution is to prepare and implement a procedure in the event of an inspection.