A new act, published on 17 June 2024, implements the DAC7 Directive in the Polish legal system and is generally scheduled to come into force as early as 1 July 2024.

In addition to including provisions related to digital platform operators, the act imposes a new obligation on promoters and service providers to protect individuals' personal data.

New requirement related to GPDR added to MDR provisions

According to newly introduced Article 86da Section 1 of the Tax Ordinance, a promoter and a service provider who provide tax arrangement information are required to provide, in writing, to the individual to whom the tax arrangement information relates details regarding:

1. The information being collected, processed and transferred in line with Chapter 11A "Information on Tax Arrangements"
2. The individual's right to seek and receive information from the data controller in sufficient time for the individual to exercise his or her right to protect personal data before the information is transferred

Section 2 of Article 86da requires the promoter and the service provider who provide tax arrangement information to immediately notify the individual to whom the tax arrangement information relates, in writing, regarding the likelihood of a security breach of their personal data collected and processed for the purpose of the automatic exchange of information if this breach is likely to adversely impact the individual's personal data protection.

The amendment, including the newly added Article 86da, is scheduled to take effect on 1 July 2024.

Objective behind new law and who will be affected

As the reasons section of the bill states, the cited provision implements Article 25(3) and (4) of Directive 2011/16/EU, which reads:

3. Reporting Financial Institutions, intermediaries, Reporting Platform Operators and the competent authorities of Member States shall be considered to be data controllers when, acting alone or jointly, they determine the purposes and means of the processing of personal data within the meaning of Regulation (EU) 2016/679.
4. Notwithstanding paragraph 1, each Member State shall ensure each Reporting Financial Institution or intermediary or Reporting Platform Operator, as the case may be, which is under its jurisdiction: (a) informs each individual concerned that information relating to that individual will be collected and transferred in accordance with this Directive; and (b) provides to each individual concerned all information that the individual is entitled to from the data controller in sufficient time for that individual to exercise his/her data protection rights and, in any case, before the information is reported.

Note that the terms Polish lawmakers introduced in the Polish legal system when implementing the Mandatory Disclosure Rules (MDR) law were "service provider" and "promoter," defined in Article 86a Section 1 Item 18) and 8) of the Tax Ordinance respectively¹ — not the term "intermediary" (which is used in the provision cited above).

According to the reasons section of the bill: "Since Directive 2011/16/EU features a legal norm that refers to intermediaries, it became necessary to implement this norm in the Tax Code, which sets forth national provisions governing duties imposed on entities of that type. However, please note that generally it is intermediaries [that] hold personal data of other entities because responsibility for reporting duties lies primarily with them."

Notwithstanding, new Article 86da applies to promoters and service providers who provide tax arrangement information concerning an individual (or individuals). As a result, it seems that this duty should not apply for cases in which an entity filing information about a tax arrangement:

• Conveys information that does not concern individuals (e.g., it concerns solely companies, such as those carrying out a merger and/or distributing a dividend)
• Acts solely as a beneficiary (the law imposes the duty on promoters and service providers only)

Information that should be provided according to Article 86da Section 1

The promoter and/or service providers affected by the duties referred to in Article 86da Section 1 of the Tax Ordinance, must determine their responsibilities based on the EU's General Data Protection Regulation (GDPR).² Acting as a personal data controller in line with Art. 13 GDPR (if obtaining a person's data directly) or Art. 14 GDPR (if obtaining data from a third party), promoter/services providers will be required to indicate:

• Their identity and the contact details and, where applicable, their representative's identity and contact details
• Contact details for the data protection officer, where applicable
• The intended purposes of processing the personal data, as well as the legal basis for the processing
• Recipients or categories of recipients of the personal data, if any
• The period for which the personal data will be stored or, if the period is currently unknown, the criteria used to determine that period
• Information about the rights of the person whose data is being obtained (data subject), including the right to (i) request from the controller access to, and rectification or erasure of, personal data, (ii) request restricted processing concerning the data subject, (iii) object to processing, and (iv) obtain data portability
• The right to lodge a complaint with a supervisory authority
• Whether the provision of personal data is a statutory or contractual requirement, or a precondition to entering into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failure to do so

Requirement to provide information on likelihood of personal data security breach

The reasons section of the bill reads:

The rules that are being implemented are designed to enable these individuals to take necessary preventive measures. This information should include a description of the type of personal data protection breach and the recommendations for a given individual about how to minimize potential adverse effects. Information should be provided to the individuals to whom the data refers, as quickly as reasonably possible, in close cooperation with a supervisory authority, with respect for the guidelines provided by that authority and/or other competent authorities such as prosecuting authorities. For example, the need to minimize the immediate risk of damage will require that the individuals to whom the data refers be informed without delay, whereas the implementation of adequate measures against the same and/or similar data protection breaches may justify notification at a later time.

Note that the amendment also defines a "data protection breach" to mean "(i) a breach of data security as the result of a deliberate unlawful action, (ii) a negligent act and/or an unexpected event that results in information being compromised, lost and/or altered, or (iii) other event involving improper and/or unauthorised access to, disclosure of or use of the information, specifically in respect of personal data transferred, stored or otherwise processed. Further, the amendment explains, a data protection breach may affect the confidentiality of, access to and/or integrity of data." It is worth noting that the definition of "data breach" adopted in the amendment differs from the definition included in the GDPR.

Impact on existing internal procedures

With the above developments now implemented, entities will want to revisit and possibly amend their procedures, both those governing tax arrangement reporting (i.e., MDR) and personal data protection (i.e., GDPR) to ensure compliance with the law.

It is noteworthy that according to Article 86l Section 3 of the Tax Ordinance an internal (MDR) procedure is to be approved by senior executives of a given entity, including Board members and/or directors who have knowledge of tax law and make decisions that affect the risk of noncompliance by the contractors that are beneficiaries. By extension, similar approval rules should generally apply to changes (if any) in the procedure, as well.

Note failure to implement and comply with MDR procedure, despite the requirement to do so imposed by Article 86l of the Tax Ordinance, could result in a monetary penalty of up to 2,000,000 Polish Zloty (PLN 2m), and in some cases up to PLN 10m where the reporting duties are not carried out.

An additional risk that should be taken into account is the entity's potential liability under the GDPR. If it is found that data is processed contrary to GDPR principles, the entity may be subject to an administrative fine of up to €20m or 4% of the annual global turnover from the previous financial year.

Due to the new obligation to inform an individual(s) "insufficient time for the individual to exercise their right to protect personal data," entities obliged to report tax arrangements could have even less time than the statutory 30 days to analyze the arrangement and collect the data required for proper reporting. Hence, in addition to updating the procedures, it is important that the individuals responsible for reporting companies' tax arrangements have up-to-date knowledge or professional support allowing for a quick response. The introduction of amendments to the MDR may also be a good reason for organizations to verify compliance of their personal data protection six years after the introduction of the GDPR regulations.