Poland: Data Protection Laws of the World Handbook: Second Edition - Poland

E-Commerce And Privacy Alert

LAW

As a member of the European Union, Poland implemented EU Data Protection Directive 95/46/ EC in the Personal Data Protection Act of 29 August 1997 (consolidated text Journal of laws of 2002, No 101, item 926 as amended, hereinafter referred to as the "PDPA"). The implementation was introduced by the Amendment of Certain Laws in Connection with Membership of the Republic of Poland in the European Union of 24 August 2007 (Journal of laws of 2007, No 176, item 1238).

DEFINITION OF PERSONAL DATA

The PDPA states that personal data shall mean any information relating to an identified or identifiable natural person. An identifiable person is the one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity. A piece of information shall not be regarded as identifying where the identification requires an unreasonable amount of time, cost and manpower.

DEFINITION OF SENSITIVE PERSONAL DATA

Pursuant to the PDPA sensitive personal data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, party or trade union membership, as well as personal data concerning health, genetic code, addictions or sex life and data relating to convictions, decisions on penalty, fines and other decisions issued in court or administrative proceedings.

NATIONAL DATA PROTECTION AUTHORITY

General inspector of Personal Data Protection

(Generalny Inspektor Ochrony Danych Osobowych)

REGISTRATION

As a general rule, data controllers who process personal data must notify the General Inspector about the data filing system containing such data. The General Inspector keeps a register of data controllers and data filing systems, which is available to the public.

The obligation to register data filing systems does not apply to the data controllers of data which:

  • include confidential information;
  • were collected as a result of inquiry procedures conducted by officers of bodies authorised to conduct such inquiries;
  • are processed by relevant bodies for the purpose of court proceedings and on the basis of the provisions on the National Criminal Register;
  • are processed by the Inspector General of Financial Information;
  • are processed by relevant bodies for the purpose of Poland's participation in the Schengen Information System and Visa Information System;
  • are processed by relevant bodies on the grounds of laws which regulate the exchange of information with law enforcement agencies of EU Member States;
  • relate to the members of churches or other religious unions with an established legal status, being processed for the purposes of these churches or religious unions;
  • are processed in connection with the employment by the controller or providing services for the controller on the grounds of civil law contracts, and also refer to the controller's members and trainees;
  • refer to the persons availing themselves of health care services, notarial or legal advice, patent agent, tax consultant or auditor services;
  • are created on the basis of electoral regulations concerning the Lower Chamber of the Polish Parliament, the Senate, the European Parliament, communal councils, district councils and provincial councils, the President of the Republic of Poland, the head of a commune, the mayor or president of a city, and acts on national referendums and municipal referendums;
  • refer to persons deprived of freedom under the relevant law within the scope required for carrying out the provisional detention or deprivation of freedom;
  • are processed for the purpose of issuing an invoice, a bill, or for accounting purposes;
  • are publicly available;
  • are processed in the preparation of a thesis required to graduate from a university or be awarded a degree; or
  • are processed with regard to minor, everyday affairs.

The data controller may start the processing of data in the data filing system after notification of the system to the General Inspector, unless the controller is exempted from this obligation. Nevertheless, the data controller of sensitive data may start the processing of these data in the data filing system after registration of the file, unless the data controller is exempted from the obligation to submit the system for registration.

The notification should include, in particular, the following information:

  • the identity of the data controller and any data processors;
  • the legal grounds for data processing;
  • the purpose of the processing;
  • a description of the categories of the data subjects;
  • the scope of processing of the data;
  • the means of data collection and disclosure;
  • a description of the technical and organisational measures undertaken in order to comply with the goals defined in the PDPA; and
  • information relating to the possible data transfer to a third country.

DATA PROTECTION OFFICERS

The data controller is obliged to appoint an administrator of information security who supervises the compliance with security measures implemented in order to protect the personal data against their unauthorised disclosure, takeover by an unauthorised person, processing with the violation of the PDPA, any change, loss, damage or destruction.

COLLECTION AND PROCESSING

The processing of data is permitted only if:

  • the data subject has given his/her consent, unless the processing consists in erasure of personal data;
  • processing is necessary for the purpose of exercise of rights and duties resulting from a legal provision;
  • processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for the performance of tasks provided for by law and carried out in the public interest; or
  • processing is necessary for the purpose of the legitimate interests pursued by the controllers or data recipients, provided that the processing does not violate the rights and freedoms of the data subject.

Where sensitive data is processed, one of the following conditions must be met:

  • the data subject has given his/her written consent, unless the processing consists of the erasure of personal data;
  • the specific provisions of other statutes provide for the processing of such data without the data subject's consent and provide for adequate safeguards;
  • processing is necessary to protect the vital interests of the data subject, or of another person, where the data subject is physically or legally incapable of giving his/her consent until he establishes who is the guardian or curator;
  • processing is necessary for the purposes of carrying out the statutory objectives of churches and other religious unions, associations, foundations, and other non profit organisations or institutions with a political, scientific, religious, philosophical, or trade union aim provided that the processing relates solely to the members of those organisations or institutions or to the persons who have a regular contact with them in connection with their activity and subject to providing appropriate safeguards of the processed data;
  • processing relates to the data necessary to pursue a legal claim;
  • processing is necessary for the purposes of carrying out the obligations of the controller with regard to employment of his/her employees and other persons, and the scope of processing is provided by the law;
  • processing is required for the purposes of preventive medicine, the provision of care or treatment, where the data are processed by a health professional subject involved in treatment, other health care services, or the management of health care services and subject to providing appropriate safeguards;
  • the processing relates to those data which were made publicly available by the data subject;
  • it is necessary to conduct scientific research including preparations of a thesis required for graduating from university or receiving a degree; any results of scientific researches shall not be published in a way which allows identifying data subjects; and
  • data processing is conducted by a party to exercise the rights and duties resulting from decisions issued in court or administrative proceedings.

The data controller is obliged to provide a data subject with information including: the identity of the data controller, the purpose of data collection, the data recipients or categories of recipients, if known at the date of collecting, the existence of the data subject's right of access to his/her data and the right to rectify these data, whether the replies to the questions are obligatory or voluntary, and in case of existence of the obligation about its legal basis. Further information is required if personal data has not been obtained from a data subject.

TRANSFER

The transfer of personal data to a third country (i.e. a country outside the European Economic Area) may take place only if the country of destination ensures an adequate level of data protection.

The adequate level of protection of personal data is evaluated taking into account all the circumstances surrounding the data transfer, in particular taking into account the nature of the data, the purpose and duration of the proposed processing operation, the country of origin and country of final destination of the data, the laws applicable in the third country, safety measures used in this country and business conduct.

Nevertheless, the data controller may transfer the personal data to a third country provided that:

  • the data subject has given his/her written consent;
  • the transfer is necessary for the performance of a contract between the data subject and the controller or takes place in response to the data subject's request;
  • the transfer is necessary for the performance of a contract concluded in the interests of the data subject between the controller and another subject;
  • the transfer is necessary or required by reasons of public interest or for the establishment of legal claims;
  • the transfer is necessary in order to protect the vital interests of the data subject; or
  • the transfer relates to data which are publicly available.

In cases other than those referred to above, the transfer of personal data to a third country which does not ensure at least the same level of personal data protection as that in force in Poland may take place only subject to the prior consent of the General Inspector, provided that the data controller ensures adequate safeguards with respect to the protection of the privacy, rights and freedoms of the data subject (the use of "standard contractual clauses" approved by the European Commission, or the implementation of Binding Corporate Rules easing the granting of such approval).

For the transfer of data to United States, compliance with US/EU Safe Harbor principles satisfies the requirement of the PDPA and the consent of the General Inspector is not required.

The transfer of personal data is also allowed if it is required by legal provisions or by the provisions of any ratified international agreement which guarantees an adequate level of personal data protection.

SECURITY

The data controller is obliged to implement technical and organisational measures to protect the personal data being processed, appropriate to the risks and category of data being protected, and to protect data against unauthorised disclosure, takeover by an unauthorised person, processing which violates the PDPA, any change, loss, damage or destruction, and in particular the data controller should:

  • keep the documentation describing the way of data processing and security measures;
  • appoint an administrator of information security who supervises the compliance with security measures;
  • grant authorisation to persons who are allowed to carry out the processing of data;
  • ensure supervision over the following: which data, when and by whom have been entered into the filing system and to whom they are transferred; and
  • keep a register of persons authorised to carry out the processing of data.

There are three levels of security measures depending on the category of data: "basic", "medium" and "high". In the event no sensitive data is processed and none of the devices of the IT system used for data processing is connected with the public network (i.e. the Internet) security measures should be applied at a basic level. If the data controller processes sensitive data, security measures should be applied at least at the medium level. If at least one device of the IT system used for data processing is connected to the public network, security measures should be applied on the high level.

BREACH NOTIFICATION

There is no requirement in the PDPA to report data security breaches or losses to the General Inspector or to data subjects. However, pursuant to the Polish Code on Criminal Procedure there is a civic duty to inform the state prosecutor or Police in case of the commission of an offence prosecuted ex officio. Non compliance with the PDPA is an offence.

ENFORCEMENT

In Poland the General Inspector is responsible for the enforcement of the PDPA.

Where there is a breach of the provisions on personal data protection, the General Inspector ex officio or upon a motion of a person concerned, by means of an administrative decision, may issue orders to restore the proper legal state. Failure to comply with the decision is subject to fines up to approximately EUR 50,000.

Furthermore, non compliance with the PDPA may be a criminal offence. A person who is liable (usually a member of a management board of the company which is a data controller) may be subject to a fine (from approximately EUR 25 to approximately EUR 270,000), a partial restriction of freedom or a prison sentence of up to three years.

ELECTRONIC MARKETING

Electronic marketing activities are subject to the regulations of the PDPA, the Act of 18 July 2002 on Providing Services by Electronic Means (Journal of Laws of 2002, No 144, item 1204 as amended ("PSEM") and the Telecommunications Act of 16 July 2004 (Journal of Laws of 2004, No 171, item 1800 as amended ("Telecommunications Act").

The PDPA applies to electronic marketing activities as such activities will involve processing of personal data, eg an e-mail address is likely to be considered personal data for the purposes of the PDPA. The PDPA lays down the grounds for processing of personal data for marketing purposes. According to the PDPA the data controller may process personal data if processing is necessary for the purpose of legitimate interests pursued by the data controllers provided that the processing does not violate the rights and freedoms of the data subject.

The legitimate interests includes direct marketing of own products or services provided by the data controller. Therefore, if marketing activities relate only to products and services owned by the data controller, consent for such processing is not required. The data subject may always object to such processing. Nevertheless, if marketing activities relate to products and services not owned by the data controller, prior consent for such processing is necessary. In each case the data subject should be informed about processing of his/her personal data for marketing purposes.

Apart from consent for processing of personal data (if such consent is required), the PSEM imposes an obligation to obtain a separate consent for sending marketing information by electronic means, (eg e-mails and SMS). The consent should not be presumed to be or be part of another statement of will and may be withdrawn at any time. Sending commercial information without consent is considered to be unfair competition practice. A service provider should be able to provide evidence that it has obtained consent.

The Telecommunications Act prohibits the use of automated calling systems for direct marketing, unless a user has given prior consent to this. The consent of the user:

  • may not be presumed or implied by a declaration of will of a different content;
  • may be expressed by electronic means, provided that it is recorded and confirmed by the user; and
  • may be cancelled at any time, in a simple manner and free of charge.

Enforcement and sanctions – Failing to fulfill the obligations to obtain consent for using automated calling systems for direct marketing is subject to a financial penalty up to 3% of the revenues of the fined company for the past calendar year. The penalty is imposed by the President of the Office of Electronic Communication (hereinafter referred to as the "President of OEC"). In addition, the President of OEC may impose a financial penalty on a person in charge of the company up to 300% of his/her monthly remuneration.

Sending marketing information by electronic means without consent is subject to criminal liability (a fine) and is considered to be an act of unfair competition.

The sanctions relating to PDPA set out in the Enforcement section above will apply accordingly.

ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)

The Telecommunications Act regulates the collection of transmission and location data and the use of cookies (and similar technologies). The amendment to the Telecommunications Act which implements Directive 2009/136/EC and Directive 2009/140/EC came into force on 21 January 2013, with the exception of the new provisions regarding cookies, which will come into force by 22 March 2013.

Transmission data – The processing of transmission data (understood as data processed for the purpose of transferring messages within telecommunications networks or charging payments for telecommunications services, including location data, which should be understood as any data processed in a telecommunications network or as a part of telecommunications services indicating geographic location of terminal equipment of a user of publicly available telecommunications services) for marketing telecommunications services or for providing value-added services is permitted if the user gives his/her consent.

Data about location – In order to use data about location (understood as location data beyond the data necessary for message transmission or billing), a provider of publicly available telecommunications services has to:

  • obtain the consent of the user to process data about location concerning this user, which may be withdrawn for a given period or in relation to a given call; or
  • perform the anonymisation of this data.

A provider of publicly available telecommunications services is obliged to inform the user, prior to receiving its consent, with regard to the type of data about location which is to be processed, with regard to the purpose and time of its processing, and whether this data is to be passed on to another entity in order to provide a value-added service.

Data about location may be processed only where this is necessary to provide value-added services.

Cookies – The use and storage of cookies and similar technologies requires:

  • providing clear and comprehensive information to the user;
  • obtaining the consent of the user; and
  • that stored information or gaining access to this stored information does not cause configuration changes in the telecommunications device of the user or the software installed on this device.

The user may grant consent by using the settings of the software installed in the final telecommunications device used by him/her or by the service configuration.

According to the explanations of the Ministry of Administration and Digitalisation, which has prepared the amendment to the Telecommunications Act, consent can be inferred by a user's actions, e.g. the user is given clear and relevant information about the cookies that are used and on that basis gives his/her consent by changing browser settings.

Consent is not required if storage or gaining access to cookies is necessary for:

  • transmitting a message using a public telecommunications network; or
  • delivering a service rendered electronically, as required by the user

Enforcement and sanctions – A company that processes transmission data contrary to the Telecommunications Act or fails to fulfill obligations to obtain consent for processing data about location or storing and gaining access to cookies is subject to a financial penalty up to 3% of the company's revenues for the past calendar year. The penalty is imposed by the President of OEC. In addition, the President of OEC may impose a financial penalty on a person in charge of the company up to 300% of his/her monthly remuneration.

The sanctions relating to PDPA set out in the Enforcement section above will apply accordingly.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.


DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Practice Guides
by Mondaq Advice Centres
Relevancy Powered by MondaqAI
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions