The application of the so-called Kamilka Act and data protection standards

Zapisz
zarzut potrącenia, Sąd Najwyższy, oświadczenie art. 203¹ k.p.c., pełnomocnik procesowy

Table of Contents:

  1. New obligations related to the so-called Kamilka Act
  2. What to pay attention to when processing personal data in connection with the Act on preventing sexual crime?

In today’s post, we will look at the application of the so-called “Kamilka Act” in the context of data protection regulations.

It has been over a month since the entry into force of the provisions concerning child protection standards, introduced into the legal system through Articles 22b and 22c of the Act of May 13, 2016, on preventing sexual crime and protecting minors. These regulations aim to improve responsiveness to signals from children and verify the qualifications of individuals working with them.

Preventive and preemptive measures, such as safe recruitment and safe relationships with children—introduced by the 2023 amendments to the Act on preventing sexual crime, including child protection standards, effective from August 15, 2024—require consideration of GDPR requirements.

New obligations related to the so-called Kamilka Act

The current regulations introduce child protection standards for all institutions where children are present. They apply to governing bodies of educational institutions (preschools, schools, and youth shelters) and other educational, care, reformatory, religious, artistic, medical, recreational, sports, or interest-related institutions attended by minors. They also cover organizers of such activities, as well as entities providing hotel, tourist, or other collective accommodation services. These entities had until August 15, 2024, to implement standards for working with children. One significant change is the requirement for employers or organizers of activities to obtain information on whether a prospective employee or participant is listed in the Restricted Access Register or in the register of individuals against whom the State Commission for Counteracting Sexual Exploitation of Minors under the age of 15 has issued an order for inclusion in the register.

The person with whom employment is to be established or who is to be admitted to the activity must also provide information regarding their criminal record. This applies to crimes of a sexual nature, crimes against life and health (e.g., assault, causing bodily harm), crimes of abuse, human trafficking, offenses under the Anti-Drug Act, or information on equivalent offenses under foreign law.

Co może sprawdzać pracodawca?

What to pay attention to when processing personal data in connection with the Act on preventing sexual crime?

The President of the Personal Data Protection Office (UODO) points out that data about employees, job candidates, and information provided by children should be processed in accordance with the principles outlined in the GDPR. Therefore, the following should be verified and updated:

  • Categories of individuals whose data is processed and the scope of collected and processed personal data—limit it to the data necessary for fulfilling legal obligations.
  • Information clauses—specifically verify purposes, legal basis for processing, information about recipients or categories of data recipients, data retention, and data sources; ensure transparency of information and communication.
  • Ensure compliance with information obligations towards all individuals from whom data is collected (in accordance with Articles 13-14 GDPR, taking into account the exclusions resulting from Article 14(5) GDPR).
  • Appoint individuals authorized by the data controller who have access to personal data and are responsible for implementing the tasks arising from the new child protection regulations; assign them appropriate authorizations, require them to maintain data confidentiality, and review the ways in which the controller’s instructions are communicated.
  • Review the channels of personal data flow/circulation and the tools used for this purpose.
  • Ensure that established data processing methods are known to and understood by designated/authorized individuals—i.e., implement them, conduct appropriate training on data processing procedures; ensure awareness, especially regarding the processing of special categories of data, highly sensitive information.
  • Consider what documents, in what form (traditional and electronic), and how they should be processed to comply with new legal regulations; limit actions on documents to those strictly necessary.
  • Assess the obligations arising from the implemented regulations in the context of relationships between the data controller and individuals whose data is processed, including in relation to record-keeping—especially regarding children, their parents/legal guardians, facility wards, clients, employees, job candidates, e.g., ensuring the confidentiality of spaces for conversations with children or other individuals whose data is processed.
  • Review and update solutions, including documentation related to the recording of data processing activities and the procedure for reporting breaches.

If your organization is subject to the regulations under the so-called Kamilka Act, do not delay—implement the above actions as soon as possible.

LET US EXAMINE YOUR CASE

Write to us