The main law on privacy in Poland is the EU General Data Protection Regulation (GDPR). The national regulation which principally develops and supplements the provisions of the GDPR is the Personal Data Protection Act of 10 May 2018.
Another key act is the Act of 21 February 2019 on the amendments of some legal acts in connection with the implementation of the GDPR (‘Amending Act’), which came into force after the GDPR was passed. The purpose of this act was to adjust the Polish legal system to the requirements of the GDPR. The Amending Act introduced changes to almost 170 separate sectoral acts.
The EU e-Privacy Directive (2002/58/EC) is also significant. The directive mainly concerns:
- the confidentiality of communications;
- direct e-marketing issues (including marketing calls, emails, texts and faxes, and use of cookies and similar technologies); and
- rules on tracking and monitoring of internet users.
It was implemented mainly through the Act on Providing Services by Electronic Means of 18 July 2002 and the Telecommunications Act of 16 July 2004.
The Telecommunications Act is set to be replaced by the Electronic Communications Law (which will also replace some provisions of the Act on Providing Services by Electronic Means).
Both the GDPR and the Personal Data Protection Act do not refer to specific sectors and are generally applicable. However, specific data protection rules for related areas are provided in specific acts.
From a privacy perspective, cybersecurity regulations are important. Pursuant to the Networks and Information Systems Directive and the National Cybersecurity System Act, special cybersecurity requirements are imposed on digital service providers and operators of essential services. The following sectors can be subjected to this:
- energy;
- transport;
- banking;
- health;
- water distribution; and
- digital infrastructure.
Other sectoral laws (eg, for banks, telecommunications operators and health services providers) impose additional security obligations on data controllers. They include the following:
- Telecommunications sector: The Telecommunications Act of 16 July 2004;
- Banking sector: The Banking Act of 29 August 1997;
- Financial sector: The Payment Services Act of 19 August 2011;
- Insurance sector: The Insurance and Reinsurance Activity Act of 11 September 2015;
- Energy sector: The Energy Law Act of 10 April 1997; and
- Healthcare sector:
-
- the Medical Activities Act of 15 April 2011;
- the Act on Patients’ Rights and the Commissioner for Patients’ Rights of 6 November 2008; and
- the Act on the Healthcare Information System of 28 April 2011.
The Labour Code and several acts concerning employment relationship set out specific rules on the processing of employees’ data.
Although the GDPR generally applies to data processed by religious institutions, the processing of data by the Catholic Church is regulated separately in the General Decree on the Protection of Individuals with Regard to the Processing of Personal Data in the Catholic Church.
The Polish data protection regime also limits or excludes the application of certain obligations of the data controller in some cases – for example, the obligation to inform data subjects about the collection and use of their data.
The Personal Data Protection Act limits the application of certain provisions of the GDPR for the following purposes or by the following entities:
- processing by certain units of the financial public sector, if the processing is necessary to safeguard national security and the law stipulates necessary measures to ensure the protection of the data subjects’ rights and freedoms;
- processing for journalistic purposes (ie, editing, preparing, creating or publishing press materials), or for expression in literary or artistic activities;
- processing for academic purposes;
- processing for the performance of a task carried out in the public interest, if fulfilment of the obligation would prevent or seriously impair the proper performance of the task and the rights and freedoms of the data subject do not override the interest resulting from the performance of the task; and
- processing by special forces.
Generally, the EU data protection rules apply within the European Economic Area (EEA). The EEA includes all EU countries and Liechtenstein, Norway and Iceland. In case of data transfers outside the EEA, special safeguards are foreseen to ensure that the protection travels with the data. The GDPR provides mechanisms for the safe transfer data to third countries, such as:
- adequacy decisions;
- standard contractual clauses;
- binding corporate rules;
- certification mechanisms;
- codes of conduct; and
- so-called ‘derogations’.
With regard to adequacy decisions, the European Commission has the power to determine whether a country outside the European Union offers an adequate level of data protection. The effect of this decision is that personal data can be transferred from the EEA to that third country without any further safeguards being necessary. The countries which the European Commission has so far recognised as providing adequate protection include Andorra, Argentina, Canada (for commercial organisations) Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.
The main body responsible for enforcing data privacy is the Personal Data Protection Office (PDPO). The key investigative powers of the PDPO include:
- the power to order a data controller, a data processor and, where applicable, the representative of a data controller or processor to provide any information it requires for the performance of its tasks;
- to carry out investigations in the form of a data protection audit;
- to notify a data controller or processor of an alleged infringement of the GDPR; and
- to obtain access to all personal data and information necessary for the performance of its tasks, as well as to obtain access to any premises of the data controller or processor.
The key corrective powers of the PDPO include:
- issuing warnings, reprimands and various orders regarding compliance;
- imposing temporary or definitive limitations, including a ban on processing;
- imposing administrative fines in addition to or instead of other measures; and
- suspending data flows.
Infringements of the GDPR identified by the PDPO may result in the imposition of an administrative fine of up to €20 million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. The Data Protection Act lowers the level of these administrative fines for public authorities to a maximum of PLN 100,000 (approximately €25,000).
Moreover, a violation of the rules on direct marketing may result in action being taken (including the imposition of fines) by other authorities, such as the president of the Office of Electronic Communication or the president of the Office of Competition and Consumer Protection.
The GDPR includes the concept of codes of conduct which are intended to contribute to the proper application of the GDPR, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises. Such codes of conduct may be prepared by associations and other bodies representing different categories of data controllers or processors. The idea is to provide sector-specific support in GDPR compliance to organisations, as well as to build public trust and confidence in complying with data privacy laws in the designated sectors. The PDPO will issue an opinion on whether a draft code (or its amendment or extension) complies with the GDPR and approve such draft code (or amendment or extension) if it considers that it provides adequate safeguards. Organisations can then sign up to the code of conduct and, if appropriate, establish a monitoring body to assess compliance.
The GDPR also provides for the possibility of establishing data protection certification mechanisms and data protection seals and marks for the purpose of demonstrating compliance with the GDPR. These mechanisms are intended to allow data subjects to quickly assess the level of data protection afforded by relevant products and services.
Moreover, the PDPO issues guidelines and recommendations on various personal data protection matters, which may concern required standards or best practices for certain industries or processing operations. Important guidelines are also issued by the European Data Protection Board (prior to the GDPR, the Article 29 Working Party), an independent European working party of all the European supervisory authorities. Certification standards such as those of the International Standards Organization could also help to ensure compliance and will be taken into consideration by the PDPO in any potential proceedings.
The EU General Data Protection Regulation (GDPR) applies to any organisation operating within the European Union (regardless of whether the processing takes place in the European Union), as well as any organisations outside of the European Union which offer goods or services to customers or businesses in the European Union.
In principle, the data privacy regime does not apply to:
- activities of a purely personal or domestic nature;
- activities that fall outside the scope of EU law; or
- activities external to the European Union and concerning common foreign and security policies.
The data privacy regime may have extraterritorial application only:
- to entities which carry out activities involving data processing in the European Economic Area (EEA); or
- where the processing of personal data by such entities relates to persons residing in the EEA.
On the other hand, if the criterion of carrying out activities in the EEA or persons residing in the EEA is taken into account, it may be assumed that the data privacy regime does not have extraterritorial scope, because it applies only to activities and data subjects within the EEA.
(a) Data processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4(2) of the General Data Protection Regulation (GDPR)).
(b) Data processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller (Article 4(8) of the GDPR).
(c) Data controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or member state law, the data controller or the specific criteria for its nomination may be provided for by EU or member state law (Article 4(7) of the GDPR).
(d) Data subject
An identified or identifiable natural person. An ‘identifiable natural person’ is one who can be identified, directly or indirectly, in particular by reference to:
- an identifier such as:
-
- a name;
- an identification number;
- location data; or
- an online identifier; or
- one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1) of the GDPR).
(e) Personal data
Any information relating to an identified or identifiable natural person (‘data subject’) (Article 4(1) of the GDPR).
(f) Sensitive personal data
Special categories of personal data (Recital 10 of the GDPR) – that is:
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;
- genetic data and biometric data, when processed for the purpose of uniquely identifying a natural person;
- data concerning health; and
- data concerning a person’s sex life or sexual orientation (Article 9(1) of the GDPR).
Personal data relating to criminal convictions and offences or related security measures based on Article 6(1) is not listed as sensitive data, but is also subject to special restrictions in processing (Article 10 of the GDPR).
(g) Consent
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, through a statement or through a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (Article 4(11) of the GDPR).
- ‘Restriction of processing’: The marking of stored personal data with the aim of limiting its processing in the future (Article 4(3) of the GDPR).
- ‘Profiling’: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person – in particular, to analyse or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements (Article 4(4) of the GDPR).
- ‘Pseudonymisation’: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person (Article 4(5) of the GDPR).
- ‘Filing system’: Any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis (Article 4(5) of the GDPR).
- ‘Personal data breach’: Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (Article 4(12) of the GDPR).
- ‘Biometric data’: Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which identify or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (Article 4(14) of the GDPR).
- ‘Joint controllers’: Two or more data controllers jointly determining the purposes and means of processing.
There is no obligatory registration or licensing requirement for data controllers or processors under Polish data protection law.
However, the Personal Data Protection Act requires entities that have appointed a data protection officer (DPO) to notify the Personal Data Protection Office (PDPO) of the designation. An entity that has appointed a DPO must notify the PDPO of changes to the data submitted in the notice and a dismissal of the DPO after the change or the dismission occurs.
N/A.
N/A.
The lawful bases for processing personal data vary depending on the type of data.
The processing of so-called ‘common data’ is lawful only if and to the extent that at least one of the following legal bases provided in the EU General Data Protection Regulation (GDPR) applies:
- The data subject has consented to the processing of his or her personal data for one or more specific purposes;
- The processing is necessary to perform a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract;
- The processing is necessary to comply with a legal obligation to which the data controller is subject;
- The processing is necessary to protect the vital interests of the data subject or another natural person;
- The processing is necessary to perform a task carried out in the public interest or in the exercise of official authority vested in the data controller; or
- The processing is necessary for the purposes of a legitimate interest pursued by the data controller or by a third party, except where such interest is overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data – in particular, where the data subject is a child.
The GDPR distinguishes special categories of personal data – that is:
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;
- genetic data and biometric data, when processed for the purpose of uniquely identifying a natural person;
- data concerning health; and
- data concerning a person’s sex life or sexual orientation (Article 9(1) of the GDPR).
The processing of special categories of data is generally prohibited. However, it may be lawful if and to the extent that one of the following legal bases provided in the GDPR applies:
- The data subject has given explicit consent to the processing of his or her personal data for one or more specific purposes;
- The processing is necessary to carry out obligations and exercise specific rights in the field of employment, social security and social protection (if authorised by law);
- The processing is necessary to protect vital interests of the data subject or another natural person;
- The processing is carried out by not-for-profit bodies in the course of their legitimate activities and with appropriate safeguards;
- The data to be processed was manifestly made public by the data subject;
- The processing is necessary for the establishment, exercise or defence of legal claims or judicial acts;
- The processing is necessary for reasons of substantial public interest (with a basis in law);
- The processing is necessary to provide health or social care (with a basis in law);
- The processing is necessary for reasons of public interest in the area of public health (with a basis in law); or
- The processing is necessary for archiving, research and statistics purposes (with a basis in law).
Personal data relating to criminal convictions and offences or related security measures may be processed only:
- under the control of an official authority; or
- where the processing has a basis in law that provides appropriate safeguards for the rights and freedoms of data subjects.
The GDPR establishes the following principles of personal data protection:
- Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
- Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimisation: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
- Accuracy: Personal data shall be accurate and, where necessary, kept up to date.
- Storage limitation: Personal data shall be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
- Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Accountability: The data controller shall be responsible for, and be able to demonstrate compliance with, all principles described above.
These key principles do not vary depending on the type of data being processed or in relation to the outsourcing of data. The abovementioned principles inform the interpretation of particular provisions of the GDPR.
Additional requirements are provided in Polish law – in particular, in the Personal Data Protection Act and in regulations implementing the Amending Act. Specific data protection rules for related areas are also provided in specific acts; the general acts on data protection do not cover specialised fields. Sectoral legislation may provide specific requirements or restrictions related to the processing of the data.
Moreover, the European Data Protection Board provides guidelines concerning data processing in many different areas. These do not constitute binding law, but they should be taken into consideration by data controllers when processing data.
The Personal Data Protection Office also issues guidelines or opinions concerning the processing of personal data, but its opinions do not constitute law and are of subsidiary importance.
The transfer of personal data to third parties is permitted only if the recipient has a legal basis to process such personal data.
The legal bases include:
- the consent of the data subject;
- necessity to perform a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract;
- necessity to comply with a legal obligation to which the data controller is subject;
- necessity to protect vital interests of the data subject or another natural person;
- necessity to perform a task carried out in the public interest or in the exercise of official authority vested in the data controller; and
- necessity for the purposes of a legitimate interest pursued by the data controller or by a third party, except where such interest is overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data – in particular, where the data subject is a child.
Other legal bases apply to the transfer of special categories of personal data.
The rules on the transfer of personal data abroad vary depending on the destination. If the transfer is to take place within the European Economic Area (EEA), the rules indicated in question 6.1 apply.
If the transfer is to take place outside the EEA, additional requirements must be met. A transfer is permitted:
- if the European Commission has decided that the third country in which the recipient is located ensures an adequate level of protection;
- if:
-
- appropriate safeguards are provided (eg, standard contractual clauses, binding corporate rules or an approved code of conduct); and
- the data subjects’ rights are enforceable and effective legal remedies for the data subjects are available in the relevant jurisdiction; or
- in specific situations, such as:
-
- on the basis of the data subject’s explicit consent;
- where the transfer is necessary to perform a contract between the data subject and the controller; or
- where the transfer is necessary to establish, exercise or defend legal claims.
The data controller should inform the data subjects of the recipients to which their personal data will be transferred. After receiving the data, the recipients should also inform the data subjects of:
- their receipt of the data;
- the identity and contact details of the data controller;
- the purposes and planned time of the data processing;
- the rights of the data subjects; and
- the source of the data.
The EU General Data Protection Regulation (GDPR) provides for the following rights of data subjects:
- the right to be informed about the collection and use of their personal data (in principle, this information should be provided at the time of collecting the data);
- the right to access the personal data that the data controller holds on them, including the right to obtain a copy of the personal data;
- the right to rectify any inaccurate or incomplete personal data held by the data controller;
- the right to erasure (‘the right to be forgotten’) – that is, the right to ask the data controller to delete any personal data it holds about the data subject because:
-
- the personal data is no longer necessary in relation to the purposes for which it was collected by the data controller;
- the data subject withdraws consent to the processing (within the scope covered by such consent);
- the data subject objects to the processing of data;
- the personal data has been unlawfully processed;
- the personal data must be erased to comply with a legal obligation; or
- the personal data has been collected in relation to the offer of information society services provided for children;
- the right to restrict (ie, prevent) the processing of personal data, because:
-
- the data is inaccurate, for a period that will allow the data controller to verify the accuracy of the personal data;
- the processing is unlawful but the data subject opposes the erasure of the personal data;
- the data controller no longer needs the data, but the data subject requires it for the establishment, exercise or defence of legal claims; or
- the data subject objects to the processing – pending verification of whether the legitimate grounds of the data controller override the data subject’s rights;
- the right to data portability, which can be exercised where:
-
- the processing is based on the data subject’s consent or on a contract with the data subject; and
- the processing is carried out by automated means;
- the right to object to processing for particular purposes – data subjects have an absolute right to stop their data being used for direct marketing. They also have the right to object on grounds relating to their particular situation at any time when:
-
- the processing of their personal data is based on the legitimate interest of the data controller; or
- the data is being processed to perform a task carried out in the public interest or in the exercise of official authority vested in the data controller – in which case the data controller must demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual, or that the data is being processed for the establishment, exercise or defence of legal claims;
- the right to withdraw consent at any time, which does not affect the lawfulness of the processing based on consent before its withdrawal; and
- rights in relation to automated decision making and profiling – data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or which similarly significantly affects them, unless the decision:
-
- is necessary to enter into or perform a contract between the data controller and the data subject;
- is authorised by law; or
- is based on the data subject’s explicit consent.
The following additional remarks and exceptions for selected rights should be noted:
- The right to be informed: The data controller may resign from its obligation to inform if:
-
- the data subject already has the relevant information;
- the provision of such information would be impossible or involve disproportionate effort;
- obtaining or disclosure is expressly laid down by law and appropriate measures are provided to protect the data subject’s legitimate interests; or
- the personal data must remain confidential subject to an obligation of professional secrecy regulated by law.
- The right to erasure: The data controller may resign from its obligation to erase if the processing is necessary:
-
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation;
- for reasons of public interest in the area of public health;
- for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes; or
- for the establishment, exercise or defence of legal claims.
Data subjects can exercise their rights by addressing requests to the data controller.
They are also entitled to make complaints to the Personal Data Protection Office (PDPO) against data controllers, and to bring claims against data controllers and processors in court.
Moreover, the PDPO has the power to take action against data controllers and processors on its own initiative.
Any individual who has suffered material or non-material damage as a result of an infringement of data protection law in relation to the processing of his or her data has the right to monetary damages or compensation. The GDPR recognises the principle of full compensation.
Injury to feelings (a harm, psychological injury) constitutes sufficient basis for pursuing claims. As the GDPR’s provisions do not set out complex regulations on claims relating to violations of data protection law, the Civil Code will apply to fill in any gaps.
If an event relating to the processing of personal data results in a breach of personal rights – for example, the right to privacy, the right to protection of one’s name and pseudonym or the right to personal portrayal – the data subject may also be entitled to monetary damages or compensation under Article 24 of the Civil Code.
The appointment of a data protection officer (DPO) is mandatory in the following cases:
- The core activities of the data controller or processor consist of processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects on a large scale;
- The main activities of the data controller or processor consist of processing on a large scale of special categories of personal data or personal data relating to criminal convictions and offences; or
- The processing is carried out by a public authority or body (with the exception of courts in the exercise of their judicial functions).
The DPO should have:
- professional qualities;
- expert knowledge of data protection law;
- independent judgement; and
- the ability, capacity and resources to carry out his or her tasks.
It must be ensured that the performed tasks and duties of the DPO do not result in a conflict of interest.
The role and tasks of the DPO are described in detail in the EU General Data Protection Regulation (GDPR). According to Article 39 of the GDPR, these tasks include the following at minimum:
- informing and advising the data controller or processor and employees who carry out processing of their obligations pursuant to the GDPR and to other EU or member state data protection provisions;
- monitoring compliance with the GDPR, with other EU or member state data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including:
-
- the assignment of responsibilities;
- awareness raising and training of staff involved in processing operations; and
- related audits;
- advising where requested as regards data protection impact assessments and monitoring their performance pursuant to Article 35 of the GDPR;
- cooperating with the PDPO; and
- acting as the contact point for the PDPO on issues relating to processing, including the prior consultation referred to in Article 36 of the GDPR, and consulting, as appropriate, on any other matter.
Yes, this role may be outsourced to a third party. There are no special requirements with regard to such outsourcing. However, the DPO should be appointed on the basis of his or her professional qualities – in particular, expert knowledge of data protection law and practices – and ability to fulfil the tasks of the DPO, as referred to in Article 39 of the GDPR. The entity that appoints the DPO must notify the Personal Data Protection Office of its appointment within 14 days of the appointment, indicating the name, surname and email address or telephone number of the DPO.
In general, the Polish legal framework does not require any additional documents or policies other than those required under the GDPR. Therefore, the data controller and, where applicable, its representative should maintain a record of all processing activities under the data controller’s responsibility. The record should include the following information:
- the name and contact details of the data controller and, where applicable, the joint controller, the controller’s representative and the DPO;
- the purposes of the processing;
- a description of the categories of data subjects and the categories of personal data;
- the categories of recipients to which the personal data has been or will be disclosed, including recipients in third countries or international organisations;
- any transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data; and
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
Similarly, each data processor and, where applicable, the processor’s representative should maintain a record of all categories of processing activities carried out on behalf of the data controller, containing:
- the name and contact details of:
-
- the data processor or processors;
- each data controller on behalf of which the data processor is acting;
- where applicable, the controllers’ or processors’ representative; and
- the DPO;
- the categories of processing carried out on behalf of each data controller;
- any transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards; and
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
The above records should be retained in writing, including in electronic form.
Ensuring privacy protection is an ongoing process. Taking into account the regulations and the principles arising therefrom, special emphasis should be given to providing information about the processing of personal data and on the exercise of data subjects’ rights (as reflected in the higher penalties for violations in these areas). Therefore, it is good practice to apply transparency to the processing of personal data, providing clarity on:
- the scope of data processed;
- the grounds and purpose for its processing;
- the ways in which it is used; and
- the sharing of data with other entities.
A particular challenge is the processing of data based on a legitimate interest, which must be clearly identified but also reasonably justified and must not infringe the rights and freedoms of the data subjects.
Both data controllers and data processors must implement appropriate technical and organisational measures to protect the security of personal data. The EU General Data Protection Regulation (GDPR) does not specify precisely which measures should be used in which circumstances, but lists certain rules and techniques, such as:
- pseudonymisation;
- data minimisation;
- integration of necessary safeguards into the processing; and
- protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
In addition, the data controller must abide by the rules on ‘data protection by design’ and ‘data protection by default’. As a result, the data controller must ensure that it is compliant with the principles of the GDPR both before it begins processing the data and during the processing itself. By default, every setting, procedure and system must be established in a way that will preserve the security of the data. This includes:
- collecting only as much data as is necessary;
- adopting a ‘privacy-first’ approach; and
- adopting and following security-centric policies.
When deciding on the appropriate measures, the data controller should consider:
- the state of the art;
- the costs of implementation;
- the nature, scope, context and purposes of the processing; and
- the risks of varying likelihood and severity for the rights and freedoms of natural persons posed by the processing.
The data controller must ensure that the data processor is using the appropriate technical and organisational measures to protect the security of the data and can be held accountable if the appropriate security standards are not met.
Yes, any data breach must be notified to the Personal Data Protection Office (PDPO), unless it is unlikely to present a risk to the rights and freedoms of natural persons. In such case, notification is voluntary.
The information must be provided without undue delay and, where feasible, within 72 hours of the data controller becoming aware of the breach. A data processor must notify the data controller without undue delay after becoming aware of a data breach. The 72-hour period is sometimes reduced by the time it took the data processor to notify the data controller of the breach. Telecommunications operators must report a data breach within 24 hours instead of 72 hours.
The information that must be provided to the PDPO covers:
- the nature of the data breach, including, where possible:
-
- the categories and approximate number of data subjects concerned; and
- the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer (DPO) or other contact point through which more information can be obtained;
- a description of the likely consequences of the data breach and the measures taken or proposed to be taken by the data controller to address the breach, including measures to mitigate its possible adverse effects, where appropriate; and
- if notification was delayed, the reasons for such delay.
If it is not possible to provide all of the above information at the same time, the information can be provided in phases without undue further delay.
Breaches can be reported online at www.biznes.gov.pl/pl/e-uslugi/00_0889_00.
Yes, a data breach should be notified to the affected data subjects without undue delay if it is likely to present a high risk to the rights and freedoms of natural persons. Under the GDPR, if at least one of the following criteria is met, notification of the data subjects is not required:
- The data controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the breach – in particular, measures that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- The data controller has taken subsequent measures which ensure that a high risk to the rights and freedoms of natural persons is no longer likely to materialise; or
- Notification would involve disproportionate effort. In this case, the data controller should instead issue a public communication or similar measure through which the data subjects can be informed in an equally effective manner.
Notification of the data subjects may be ordered by the PDPO.
In notifying the data subjects, the data controller should describe the nature of the data breach in clear and plain language. The information provided must include at least:
- the name and contact details of the DPO or other contact point where more information can be obtained;
- a description of the likely consequences of the data breach; and
- a description of the measures taken or proposed to be taken by the data controller to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Voluntary notification of affected data subjects is also allowed.
Every data breach must be documented by the data controller, even if it is not notified to the PDPO. The data controller must retain information on the effects of the data breach and the remedial action taken in its internal documentation, so that the PDPO can verify compliance with the GDPR in the future (principle of accountability).
It is considered good practice to use an appropriate matrix when analysing data breaches. This can help to determine the severity of the breach and the resulting obligations.
A data breach might also trigger the possibility or obligation to report the breach to the appropriate computer emergency response team. This may arise if the breach affects an operator of essential services or a digital service provider.
The Labour Code imposes certain restrictions in relation to the processing of personal data for employment purposes. Under these provisions, an employer may process only selected categories of employees’ personal data. Moreover, restrictions apply to the processing of other categories of personal data on the grounds of consent granted by the employee.
Additional requirements and restrictions are set out in employment-related acts and regulations, such as those on employee document handling and employee capital (retirement) plans.
In general, employee monitoring is allowed under Polish law. However, certain conditions must be met to legally monitor employees. Where necessary to ensure the safety of employees or the security of property, to control production or to keep secret information whose disclosure could expose the employer to damage, the employer may establish special supervision in the workplace or the area around the workplace in the form of technical measures that facilitate image registration (monitoring). Recordings may be processed by the employer only for the purposes for which they were collected and kept for a period of up to three months from the date of recording. Where necessary to ensure the full use of working time and the proper use of work tools, the employer may control employees’ use of official emails (email monitoring).
Due to the COVID-19 pandemic, employers should keep abreast of employment law regulations that may impact the privacy of employees. This is particularly relevant with regard to PCR testing, analysis of test results and notification of other employees about the results.
At the same time, anticipated new rules on remote working may impact employees’ privacy, including in relation to accidents at work which may require on-site control of work conditions in case of an accident.
The use of cookies is primarily subject to the Telecommunications Act and the EU General Data Protection Regulation (GDPR). To the extent that a cookie identifier is considered personal data, the rules on the lawful processing of this information are set out in the GDPR.
As a rule, storing information or accessing information already stored on the telecommunications terminal equipment of a subscriber or end user is permitted, provided that:
- the subscriber or end user:
-
- is directly informed (in an unambiguous, clear and understandable manner) of the purpose of such storage, as well as of the possibility of modifications in storing or accessing the information (via his or her internet browser); and
- gives his or her consent to this; and
- the stored information or access does not cause configuration changes to the telecommunications terminal equipment or software.
In addition, the subscriber or end user may give his or her consent through the software settings on his or her telecommunications terminal equipment or service configuration. This consent must meet the conditions for consent under the GDPR.
These rules are not restricted to cookies, but also apply to other identifiers such as tags, beacons and pixels. Consent to their use is not required if the information is used only for the transmission of communications over a public telecommunications network or is necessary to provide a service requested by the subscriber or end user.
In case of violation of Articles 173 and 174 of the Telecommunications Law, which set out the requirements and restrictions on cookies and other identifiers, the president of the Office of Electronic Communications may impose a penalty equal to 3% of the revenue earned by the relevant entity in the preceding calendar year.
As there is no law in Poland that specifically applies to cloud computing services, these are covered by generally applicable laws. The most important legal rules relating to cloud computing are:
- civil contract law;
- the laws on the provision of services by electronic means;
- consumer protection law; and
- cybersecurity law.
From a data protection law perspective, the key act is the GDPR.
The use of cloud computing by certain entities, primarily in the financial and insurance sectors, is subject to regulation by the Financial Supervision Commission. The key instrument from this perspective is the commission’s communication on information processing by supervised entities using public or hybrid cloud computing services (which has the nature of soft law). Specific requirements for entities from the banking sector are set out by the European Banking Authority in its guidelines on outsourcing.
Special security and geo-hosting requirements may also apply where services are provided to Polish public administration entities through the ZUCH platform (Cloud Service Delivery System). Company secrets and personal data must be hosted in the Polish jurisdiction, as they require a higher standard of data safety (Cyber Security Standards for Cloud Computing 2). Services that do not involve the processing of restricted data may be provided from the territory of EU member states.
The most important requirements and restrictions stem from:
- the GDPR;
- the Telecommunications Act;
- the Act on Providing Services by Electronic Means;
- the Act on Combating Unfair Competition;
- the Act on Combating Unfair Market Practices; and
- the Act on Competition and Consumer Protection.
However, direct marketing is mainly regulated by Article 172 of the Telecommunications Act and Article 10 of the Act on Providing Services by Electronic Means. The Electronic Services Act refers to the concept of ‘unsolicited commercial information’, which is not defined in the act. Its meaning can be interpreted from the notion of ‘solicited commercial information’: that is, commercial information is regarded as solicited where the recipient has consented to its receipt (in particular, where the recipient has shared an electronic address, which identifies him or her, for this purpose). Therefore, as a rule (expressed in Article 10 of the Electronic Services Act), marketers are prohibited from sending unsolicited commercial information by electronic means of communication to natural persons. However, it is permissible to send such information if the recipient has given his or her consent.
According to Article 172(1) of the Telecommunications Act, the use of telecommunications terminal equipment and automated calling systems for the purposes of direct marketing is forbidden, unless the subscriber or user has consented to such use. Pursuant to Article 174 of Telecommunications Act, and with regard to the subscriber or user’s consent, the prevailing data protection laws apply. The Telecommunications Act does not distinguish between customers and businesses with regard to consent to use telecommunications terminal equipment and automated calling systems for the purposes of direct marketing. Where online marketing messages are sent to company employees or representatives, the obligations relating to consent are identical to those that apply to customers.
Most direct online marketing activities (eg, email marketing and newsletters) involve the processing of recipients’ personal data and must thus comply with the GDPR. If an entity is considered a data controller, it must be able to demonstrate the legal basis for the processing of personal data. In practice, online marketing is usually conducted on the basis of the customer’s consent.
First, data subjects can lodge complaints with the Personal Data Protection Office (PDPO) in relation to the processing of their personal data. They can also bring claims for damages and compensation against data controllers or processors in court. The PDPO is also entitled to bring claims against data controllers and processors, and to enter pending civil proceedings at any stage on behalf of the data subject, with her or his consent.
Data privacy disputes are heard by the Polish district courts. Proceedings should be brought before the courts of the state in which the data controller or processor has an establishment or in which the data subject has his or her habitual residence (except where the data controller or processor is a public authority of an EU member state which was exercising its public powers).
An alternative to disputes handled by the common courts is the possibility to bring claims in the arbitration courts. However, this mechanism is not popular in Poland.
Disputes typically involve all matters relating to breaches of the EU General Data Protection Regulation and other data protection laws. A claimant may seek compensation for damages suffered as a result of a breach of data protection law or another effective remedy in the form of certain behaviour (eg, a public apology). Therefore, the claims of data subjects typically relate to breach of their rights, such as the right of access or the right to be forgotten. Usually, cases that are brought to court extend beyond data protection issues and concern the protection of personal rights, video surveillance issues or employment issues.
Few data protection claims are currently brought to court, so it is difficult to determine how such cases are typically resolved. However, the courts are rather reserved in awarding damages and the amounts of damages awarded thus far have not been very high.
Currently, there are few rulings by the civil courts in Poland on the protection of personal data. The most interesting decisions to date are described below.
Warsaw District Court, 6 August 2020, Case XXV C 2596/19: In this case the Warsaw District Court held that an insurance company had violated the data minimisation principle and ordered it to pay €330 in compensation to the data subject in connection with the violation.
The claimant data subject owned a car that was involved in a road collision. The claimant was not involved in the accident herself, but had purchased civil liability insurance for the car.
The person injured in the car accident requested documentation relating to the loss adjustment. The insurance company provided the injured party with all documentation, including the claimant’s personal data (eg, name, address, national identification number and telephone number). The insurance company informed the data subject of its mistake. The data subject was afraid of the possible consequences and thus changed her telephone number and stipulated to her bank that withdrawals from her account could be made only upon her instruction.
The court held that the insurance company had the right to provide certain personal data of the owner of the car involved in the accident to the injured party, even though the owner had not been driving the car herself. However, the insurance company should have provided a narrow range of data, excluding phone number and national identification number. The transfer of this data was unlawful and caused non-pecuniary damage to the data subject. This justified an award of damages to the claimant.
This decision is noteworthy because it is the first ruling in Poland in which a court has found harm from a personal data breach.
Elbląg District Court, 24 March 2021, Case IV Pa 10/21: The Elbląg District Court upheld a decision of the Ostróda Regional Court which found that obtaining unlawful access to personal data held by the Social Security Institution constituted a breach of fundamental employee duties.
The claimant employee obtained access to the personal data of individual registered with the Social Security Institution which was unrelated to the performance of her duties. During the proceedings both before the employer and before the court, the employee did not explain why she had accessed this data. The court found that the employee had received training on the data protection regime and the possible consequences of violations, and had admitted that she was aware of the policies in force in the workplace. Accordingly, the court found that her actions, which constituted a violation of the employer’s policies, were intentional and conscious.
In her defence, the claimant stated that no damage had been suffered by the employer or the data subjects as a result of her actions. However, the court found that the offence set out in Article 107 of the Data Protection Act – the processing of data without legal basis or authorisation – does not mention damage as a premise of the offence. The claimant’s actions were thus unlawful due to the absence of a connection with her duties as an employee; and the fact that no damage had occurred as a consequence of her actions was irrelevant in assessing her actions.
This ruling is significant as it indicates that employees who process data beyond the scope of their authorisation may be severely punished, including through disciplinary dismissal for cause.
Currently, the enforcement of the EU General Data Protection Regulation continues to escalate, as reflected in the increasing number of decisions and the severity of the financial penalties imposed on entities and businesses in various industries. We assume that this trend will continue, as indicated by the recent statistics on Personal Data Protection Office (PDPO) activity.
It is likely that in the coming months the new e-Privacy Act will be in the spotlight and significant legislative progress or even the act’s adoption can be expected. Other legislative initiatives under the Digital Single Market Strategy for Europe may also be finalised, including regulations to complement privacy-related regulations such as the Data Governance Act, Digital Services Act, Digital Market Act and the Networks and Information Security 2 Directive.
In 2022, we expect that the PDPO will focus on the use of mobile applications, and particularly on how to secure and share the personal data that is processed in connection with such use. In addition, we expect that the PDPO will examine the processing of personal data of bank clients and potential clients with respect to profiling, and how credit applicants are informed about their creditworthiness assessment. The PDPO will also take action to verify the processing of personal data in the Schengen Information System and the Visa Information System.
The legal requirements on marketing activity should be considered. If you use electronic means of communication (eg, emails, phone calls) for marketing purposes, you must have a legal basis for such activity (eg, consent) separate from that for personal data processing. As a result, you may need more than one form of consent to send marketing content via email or SMS.
The notification of data protection breaches to the Personal Data Protection Office (PDPO) will sometimes require a careful qualification of the facts. It is particularly useful to study the PDPO’s past practice and decisions in similar cases – for example, it takes a strict approach to data protection violations resulting in the unauthorised disclosure of national identification numbers.
Also give consideration to the use of cookies and other tracking technologies. Some may process a set of information that constitutes personal data. Be mindful of the need to obtain consent for the use cookies and similar technologies, and the specific requirements on consent under the EU General Data Protection Regulation.