Abstract

The amendment of the Personal Data Protection Act of 29 August 1997 adopted on 7 November 2014 introduced optionality of appointment of information security administrators (ABI). The legislator promotes ABI appointment by exempting from the duty to register the majority of data sets kept by the entity which decided to appoint ABI. At the same time, it was decided to compile a statutory list of ABI’s responsibilities, which includes controlling the legality of personal data protection at GIODO’s request and keeping a register of personal data sets. ABIs must be submitted to the public register kept by a personal data protection authority. A very important solution is determination of ABI’s status as a person reporting directly to entity’s head.

The data administrator has to secure “resources and organizational independence” necessary for proper performance of ABI’s tasks. ABI and the subordinated personnel should form a separate organization unit or division in the company and be allocated an appropriate budget and resources securing that independence in performance. The new way of regulating ABI’s status may cause that ABI will be treated as a serious function in a company or institution, but may also discourage their appointment.