PDPO sectoral audit plan 2025: who will be on target?

On 16 January 2025 The Office for the Protection of Personal Data has issued a communication on the sectoral control plan for 2025. Which sectors will be on the target of the PDPO inspectors?

Who can expect increased PDPO inspections?

In 2025, the PDPO inspectors will focus on the control of sectors that generate the highest risk of breaches of data protection legislation, as well as those that attract wide public interest, i.e. medical data security and the processing of children’s data.

Medical data is one of the most sensitive categories of data, so particular attention will be paid to verifying the data protection measures in place. The goal is to minimise the risk of unauthorised access, breach of privacy, and improper processing of such data.

It is worth noting that the PDPO has already carried out inspections in this regard. For example, the authority imposed an administrative fine of PLN 10,000 on the University Clinical Centre of the Warsaw Medical University for failing to notify the President of the PDPO of a personal data protection breach and person whom data was subject of the breach.

Another priority in the PDPO’s control plan for 2025 will be the processing of children’s data, with particular focus on cases where parental or legal guardian consent is required. In particular, situations where children’s data are used, such as images, contact details or information collected through various online platforms, will be controlled. Compliance with the requirements for the protection of children’s personal data, as well as parents’ awareness of their rights in this regard, will be key in the checks carried out.

Is your institution processing data correctly in EU Large Scale Systems? The PDPO will check this in 2025!

The areas of focus for the PDPO in 2025 are also entities that process personal data within EU systems such as SIS (Schengen Information System) and VIS (Visa Information System). In particular, this concerns institutions that collect and process data on the basis of European Union regulations and Polish regulations, including the bill of 24 August 2007 concerning Poland’s participation in these systems. In this case, the PDPO will pay attention to:

• the way data is managed,
• the security of information processing
• and compliance with European law regulations.

The PDPO will scrutinise GDPR breach documentation – what do you need to know?

The PDPO also intends to focus on the control of data controllers with regard to the implementation of the obligation under Article 33(5) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. According to this, the administrator shall document any personal data breaches, including :

• the circumstances of the personal data breach,
• its effects and the remedial action taken,
• and this documentation must allow the supervisory authority to verify compliance with this article.

As part of the inspection, the PDPO will check how administrators record and report breaches, what remedial actions they take, and whether these processes comply with regulatory requirements.

How to avoid the risk of sanctions?

It is important to emphasise that the planned inspections by the PDPO are not limited to specific sectors. The circle of entities that may be subject to inspections this year is therefore very broad, as every data administrator is obliged to document any incidents related to a personal data protection breach.

In view of the mentioned inspections, it is worth reviewing the documentation and internal procedures implemented in relation to the processing of personal data to ensure that they comply with the applicable regulations.

Our data protection lawyers can assist you in preparing or verifying the aforementioned documentation, as well as in clarifying any information regarding the issues described above.