The first Polish code of conduct compliant with the GDPR approved
The President of the Personal Data Protection Office approved the "Code of Conduct concerning the Protection of Personal Data Processed in Small Medical Facilities" developed by the Federation of Healthcare Employers' Unions (FZPOZ) Zielona Góra Agreement. The Polish supervisory authority has also granted accreditation to RS Jamano, which will act as a monitoring body for the application of the code.
Jakub Groszkowski, Deputy President of the Personal Data Protection Office, while handing over the decision approving the code to representatives of the code initiative on 14 December 2022, said: "The purpose of the code of conduct is to ensure the protection of the personal data of patients and other persons in healthcare facilities. Certainly, the adopted code of conduct will not only help medical facilities to comply with the requirements of the GDPR, but also raise awareness of data protection among patients. Raising awareness and broadening of knowledge of the role of personal data protection and building appropriate attitudes among both controllers and citizens is a process in which the Personal Data Protection Office is actively involved."
In the opinion of the supervisory authority, the code of conduct presented by FZPOZ complies with the provisions of the GDPR and provides an appropriate data protection safeguard stipulated in the Regulation. The decision of the President of the Personal Data Protection Office concludes the period of work on the content of the code and gives medical facilities the opportunity to start preparations for its implementation.
“The Code of Conduct of the GDPR of the FZPOZ was created to clarify the intricate provisions related to the protection of personal data in medical facilities. Owing to the clear instructions, the institutions will be able to implement appropriate solutions and gain full control over the processes taking place in the area of personal data protection, thus reducing the risk of chaos or searching for inappropriate solutions in the event of a breach of personal data of patients" — said Jacek Krajewski, President of the Federation of the Healthcare Employers’ Unions Zielona Góra Agreement.
Codes of conduct. Why are they worth developing?
The application of the code of conduct entails a number of benefits. First of all, the facilities which will apply it may be guaranteed that certain solutions approved by the supervisory authority are correctly used. They can also count on supervision over the processing of personal data by an independent monitoring body of the code. It is also important that, according to the GDPR, a supervisory authority, when considering imposing a fine on a given entity, must take into account in each case whether the entity correctly adheres to approved code of conduct.
As Monika Krasińska, Director of the Case Law and Legislation Department, Personal Data Protection Office said: “The Personal Data Protection Office continues to encourage industry-specific organisations to come up with initiatives for the creation of codes of conduct. Such actions help originators to properly comply with the personal data protection provisions and to comply with the duties imposed by the GDPR on the controllers."
The monitoring body
During the same meeting, Jakub Groszkowski handed over the first certificate granted by the President of the Personal Data Protection Office confirming the accreditation of the monitoring body. This certificate was granted to RS Jamano Ltd.
“With the protection of personal data, it’s a bit like petting a cat — it’s a continuous process, not a one-time process. The same is true for the application of the code — the accession of a medical facility to the code means that it accepts an obligation to ensure and maintain a high level of protection of personal data. On the other hand, it is the task of the monitoring body to cooperate with the facilities on an ongoing basis to ensure that this is the case throughout the period of code membership. We are now ready to act." — said Paweł Makowski, Vice President of the Management Board of RS Jamano.
The code of conduct must indicate the body monitoring the compliance with this document by controllers and processors that accede to the document. This entity meets certain requirements, such as: having expertise in the field covered by the code; maintaining independence; having procedures in place to assess whether controllers comply with the code and to deal with complaints relating to the infringements of the code.
In addition, RS Jamano complies with Guidelines 1/2019 of the European Data Protection Board (EDPB) and Accreditation Requirements, which are defined by the Polish Personal Data Protection Office and on which the EDPB issued an opinion in order to ensure consistency in the application of the GDPR in all Member States.
Medical facilities affiliated to the FZPOZ will soon be able to apply for membership to the code of conduct through the online platform of the monitoring body.