1 Legal and enforcement framework
1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?
In Poland, the primary legal act governing data protection is the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which applies directly across all EU member states. In addition to the GDPR, the following national legislative and regulatory acts govern data privacy in Poland:
- the Act of 10 May 2018 on the Protection of Personal Data;
- the 1997 Constitution;
- the Act of 21 February 2019 amending certain acts in connection with ensuring the application of the GDPR (which harmonises sector-specific laws with the GDPR);
- the Act of 18 July 2002 on Providing Services by Electronic Means;
- the Electronic Communications Act (7 July 2023);
- the Labour Code (Act of 26 June 1974); and
- the Banking Law Act (29 August 1997).
1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?
In Poland, several sector-specific regimes apply to the processing of personal data, depending on the industry and the nature of the data. These regimes are often based on both EU regulations and national laws. Key examples include the following.
Sector-specific regimes:
- Banking: The Banking Law Act regulates the processing of customer data by financial institutions, particularly in relation to banking secrecy and anti-money laundering obligations.
- Insurance: The processing of personal data in the insurance sector is governed by the Act of 11 September 2015 on Insurance and Reinsurance Activity.
- Telecommunications and electronic communications: The Electronic Communications Act includes provisions on:
-
- user consent;
- confidentiality of communications;
- metadata;
- cookies; and
- unsolicited marketing.
- Healthcare and clinical trials: The processing of health data is subject to stricter safeguards under Article 9 of the GDPR (special category data). In addition:
-
- Regulation (EU) No 536/2014 on clinical trials of medicinal products governs the processing of personal data related to human clinical research, ensuring ethical conduct and participants' rights; and
- the Clinical Trials Act (9 March 2023) complements the EU regulation and sets national rules for conducting, supervising and registering clinical trials, including consent procedures and participant data protection.
- Employment: The Labour Code regulates the scope and conditions for processing employee data (eg, for recruitment, monitoring, drug testing or recording working time). It is also subject to the GDPR.
- Advertising and Online Services: The Act on Providing Services by Electronic Means and the Electronic Communications Law regulate direct marketing and profiling practices, particularly the use of:
-
- cookies;
- tracking technologies; and
- email/SMS marketing.
Data-type specific regimes:
- Biometric data: Classified as special category data under Article 9 of the GDPR, biometric data (eg, fingerprints, facial recognition) may be processed only under strict conditions, such as explicit consent or employment law exemptions defined by national law.
- Health data: This requires additional safeguards. National laws may impose stricter conditions for processing such data, especially in the medical, insurance or public health contexts.
- Criminal data: The processing of data relating to criminal convictions and offences is subject to Article 10 of the GDPR and may only be carried out:
-
- under the control of an official authority; or
- when authorised by law.
1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?
As an EU member state, Poland follows the GDPR, which governs international transfers of personal data outside the European Economic Area.
Personal data can be transferred freely to countries that the European Commission has found to provide an adequate level of data protection. These include:
- Andorra;
- Argentina;
- Canada (commercial organisations);
- the Faroe Islands;
- Guernsey;
- Israel;
- the Isle of Man;
- Japan;
- Jersey;
- New Zealand;
- South Korea;
- Switzerland;
- the United Kingdom;
- the United States (only certified entities under the EU-US Data Privacy Framework); and
- Uruguay.
Where there is no adequacy decision, the following mechanisms may be used:
- Standard contractual clauses: Pre-approved contract terms to ensure safeguards.
- Binding corporate rules: Internal rules approved for transfers within multinational groups (Article 47 of the GDPR).
- Derogations (Article 49 of the GDPR): These apply in exceptional cases – for example:
-
- explicit consent (with full risk disclosure);
- necessity for a contract or public interest; or
- legal claims or vital interests.
1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?
The president of the Personal Data Protection Office (PUODO) is the main public authority responsible for supervising data protection in Poland. The PUODO is an independent body appointed by the Sejm (the lower house of Parliament) with the consent of the Senate for a four-year term.
The Sejm is also responsible for enacting data protection laws and other legislation regulating the processing of personal data in Poland.
Under Article 57 of the GDPR, the PUODO's key responsibilities include:
- monitoring and enforcing the application of the GDPR;
- raising public awareness about data protection risks, rights, safeguards and obligations;
- advising the national Parliament, government and other public institutions on data protection matters;
- handling complaints submitted by data subjects or their representatives;
- conducting investigations and issuing administrative decisions; and
- imposing administrative fines for GDPR violations, where proportionate and necessary.
The PUODO also participates in the European Data Protection Board (EDPB) to support the consistent application of data protection law across the European Union.
1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?
According to Recital 77 of the GDPR, guidance on implementing appropriate technical and organisational measures can be provided through:
- approved codes of conduct;
- approved certification mechanisms;
- guidelines issued by the EDPB; and
- recommendations from data protection officers.
These instruments help entities to:
- assess risks based on their source, nature, likelihood and severity; and
- adopt best practices to minimise such risks effectively.
The EDPB may also issue guidance regarding processing operations that are not considered high risk, indicating appropriate safeguards in those contexts.
Further, Articles 40 to 42 of the GDPR regulate these tools explicitly:
- Article 40 encourages the establishment and approval of codes of conduct tailored to specific sectors or processing contexts, which assist in clarifying and harmonising data protection obligations.
- Article 41 details the approval process of such codes by supervisory authorities.
- Article 42 provides for voluntary certification mechanisms and data protection seals or marks, helping organisations to demonstrate their compliance with GDPR requirements.
2 Scope of application
2.1 Which entities are captured by the data privacy regime in your jurisdiction?
The General Data Protection Regulation (GDPR) governs the processing of personal data by all entities – in particular, natural persons, legal persons, public authorities and other organisational units – insofar as the processing is carried out within the scope governed by EU law or national law.
2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?
Under the GDPR, there are several exceptions that exclude the application of data protection provisions. These include:
- processing carried out in areas not governed by EU law or Polish law;
- processing carried out by a natural person in the course of a purely personal or household (private, non-professional) activity; and
- processing by competent authorities for the purposes of:
-
- preventing crime;
- conducting pre-trial proceedings;
- detecting and prosecuting offences; or
- executing penalties related to such offences.
- This exception also applies to protection against threats to public security and the prevention of such threats.
2.3 Does the data privacy regime have extra-territorial application?
Yes, according to Article 3 of the GDPR, the regulation also has extra-territorial application. According to this article, the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the European Union, regardless of whether the processing itself takes place in the European Union. The GDPR also applies to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union, where:
- goods or services are offered to such data subjects, regardless of whether payment is required; or
- their behaviour is monitored, insofar as their behaviour takes place within the European Union.
3 Definitions
3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.
The definitions of individual terms are provided directly in the General Data Protection Regulation (GDPR) (Article 4), as follows.
(a) Data processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.
(b) Data processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
(c) Data controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
(d) Data subject
An identified or identifiable natural person.
(e) Personal data
Any information relating to an identified or identifiable natural person.
(f) Sensitive personal data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data; as well as data concerning health, sex life and sexual orientation (Article 9(1) of the GDPR).
(g) Consent
Any freely given, specific, informed and unambiguous indication of the data subject's wishes signifies agreement to the processing of personal data.
3.2 What other key terms are relevant in the data privacy context in your jurisdiction?
‘Data breach': A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to data that is transmitted, stored or otherwise processed.
4 Registration
4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?
The General Data Protection Regulation (GDPR) does not impose an obligation to register a data controller or a data processor.
According to Articles 4(7) and (8), any entity that independently determines the purposes and means of the processing of personal data or processes data on behalf of the controller is considered a data controller or a data processor. This is the only substantive criterion that must be met (while also considering the territorial scope of the GDPR) for an entity to be recognised as a controller or processor.
4.2 What is the process for registration?
The GDPR does not include any requirements regarding the registration of data controllers or data processors. Therefore, there is no formal or specific procedure for such registration.
4.3 Is registered information publicly accessible?
There is no publicly available register covering the entities to which the GDPR applies. The GDPR does not introduce such an institution. Consequently, it is not publicly accessible.
5 Data processing
5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?
Under the General Data Protection Regulation (GDPR), two types of legal bases for processing personal data are distinguished:
- the processing of so-called ‘regular data' (Article 6); and
- the processing of special categories of personal data (Article 9(2)).
In this context, ‘regular data' may be processed when:
- the data subject has given consent;
- the processing is necessary for the performance of a contract;
- the processing is necessary for compliance with a legal obligation to which the controller is subject;
- the processing is necessary to protect the vital interests of the data subject;
- the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- the processing is necessary for the purposes of the legitimate interests pursued by the controller.
In turn, with respect to special categories of data, the data may be processed where:
- the data subject has given explicit consent;
- the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller;
- the processing is necessary to protect the vital interests of the data subject;
- the processing is carried out by a foundation, association or other non-profit body with a political, philosophical, religious or trade union aim, in the course of its legitimate activities;
- the processing relates to personal data which has manifestly been made public by the data subject;
- the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
- the processing is necessary for reasons of substantial public interest;
- the processing is necessary for reasons of public health or other medical purposes, including public health; or
- the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.
5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?
The key principles of personal data processing, which apply to every processing operation, are those set out in Article 5 of the GDPR. These include:
- the principle of lawfulness, fairness and transparency;
- the principle of purpose limitation;
- the principle of data minimisation;
- the principle of accuracy;
- the principle of storage limitation;
- the principle of integrity and confidentiality; and
- the principle of accountability.
These principles are of fundamental importance in interpreting the GDPR. They establish the framework within which every processing operation falling within the material and personal scope of the GDPR must fit.
5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?
Among the other requirements imposed by the GDPR, the obligation to provide information (Articles 13 and 14 GDPR) should be noted. These provisions concern the duty to inform data subjects that their personal data is being processed. In this context, the data subject must be informed of:
- the contact details of the controller (including the data protection officer);
- the purposes of the processing;
- the controller's legitimate interests (where applicable);
- the recipients of the data;
- any intention to transfer the data to a third country; and
- among other things:
-
- the data retention period;
- the rights of the data subject; and
- the right to lodge a complaint with a supervisory authority.
6 Data transfers
6.1 What requirements and restrictions apply to the transfer of data to third parties?
Under the General Data Protection Regulation (GDPR), the transfer of personal data to third countries (ie, countries outside the European Economic Area) is subject to strict requirements and restrictions. Such transfers are permissible only under specific legal grounds, as outlined below:
- Adequacy decision by the European Commission: Transfers are allowed where the European Commission has adopted a decision determining that the third country ensures an adequate level of protection for personal data that is essentially equivalent to the level of protection guaranteed by the GDPR (Article 45 of the GDPR).
- Standard contractual clauses (SCCs): If no adequacy decision is in place, the controller or processor may transfer personal data to a third country by incorporating SCCs adopted by the European Commission. These clauses impose contractual obligations on both parties to ensure adequate data protection safeguards in the third country (Article 46(2)(c) of the GDPR).
- Binding corporate rules (BCRs): A corporate group (or group of undertakings engaged in a joint economic activity) may rely on binding corporate rules, which are approved by the competent supervisory authority, to enable intra-group data transfers. BCRs must provide enforceable data subjects' rights and ensure appropriate safeguards for the protection of personal data transferred outside the European Economic Area (EEA) (Article 47 of the GDPR).
- Approved codes of conduct and certification mechanisms: Under certain circumstances, data transfers may also be based on approved codes of conduct (Article 40 of the GDPR) or approved certification mechanisms (Article 42 of the GDPR), together with binding and enforceable commitments of the data importer in the third country to apply appropriate safeguards (Articles 46(2)(e) and (f) GDPR).
Derogations for specific situations: In the absence of an adequacy decision or appropriate safeguards, data transfers to a third country may occur in specific situations (Article 49 of the GDPR) – for example:
- the data subject has explicitly consented to the proposed transfer after being informed of the possible risks;
- the transfer is necessary for the performance of a contract between the data subject and the controller;
- the transfer is necessary for important reasons of public interest;
- the transfer is necessary for the establishment, exercise or defence of legal claims; or
- the transfer is necessary to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
These safeguards and exceptions are designed to ensure that the fundamental rights and freedoms of data subjects are respected, even when their data is transferred beyond the European Union's jurisdiction.
6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?
Under the GDPR, the transfer of personal data abroad (ie, outside the EEA) is subject to strict requirements that vary depending on the destination. The key consideration is whether the European Commission has issued an adequacy decision for the third country in question.
The European Commission has adopted adequacy decisions in relation to the following countries and territories:
- Andorra;
- Argentina;
- Canada (commercial organisations);
- the Faroe Islands;
- Guernsey;
- Israel;
- the Isle of Man;
- Japan;
- Jersey;
- New Zealand;
- South Korea;
- Switzerland;
- the United Kingdom (under both the GDPR and the Law Enforcement Directive);
- the United States (for commercial organisations participating in the EU-US Data Privacy Framework); and
- Uruguay.
Transfers to these countries may be carried out under the same conditions as transfers within the EEA, without the need for additional safeguards.
However, where an adequacy decision is not in place, the data exporter must rely on appropriate safeguards, such as SCCs. In this context, the data exporter is required to carry out a so-called ‘transfer impact assessment'. This assessment involves:
- evaluating whether the transfer might compromise the fundamental rights and freedoms of data subjects; and
- reviewing the laws and practices of the destination country to determine whether they provide adequate protection for personal data.
6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?
In addition to the specific issues concerning data transfers, the general principles of the GDPR set out in Article 5 apply. Furthermore, despite the transfer of data, the data subject must have a genuine opportunity to exercise their rights. In particular, they must be properly informed about the transfer of their personal data to a third country, in accordance with Articles 13 and 14 of the GDPR.
7 Rights of data subjects
7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?
The General Data Protection Regulation (GDPR) grants data subjects a range of rights. These concern the following issues:
- Right to information: Pursuant to Articles 13 and 14 of the GDPR, the data subject has the right to be informed that their personal data is being processed.
- Right of access: Under this right, the data subject is entitled to:
-
- obtain confirmation as to whether their personal data is being processed; and
- if so, access details of, among other things:
-
- the purposes of the processing;
- the categories of processed data; and
- the planned data retention period (Article 15 of the GDPR).
- Right to rectification: Under this right, the data subject has the right to obtain from the controller the rectification of inaccurate personal data concerning them without undue delay (Article 16 of the GDPR).
- Right to erasure (‘right to be forgotten'): This right effectively covers two issues:
-
- The data subject has the right to request the immediate erasure of personal data concerning them. The controller must comply without undue delay, provided that:
-
- the personal data is no longer necessary for the purposes for which it was collected;
- the data subject withdraws their consent to processing or objects to the processing of their data; or
- the data was processed unlawfully.
- Where the controller has made the personal data public and is obliged to erase it, the controller must take reasonable steps to inform other controllers processing the data that the data subject has exercised their right to erasure, including erasure of copies or links to those personal data (Article 17 of the GDPR).
- Right to restriction of processing: Under this right, the data subject has the right to request the restriction of the processing of their personal data, meaning that data may only be stored. This right may be exercised in the following cases:
-
- The data subject contests the accuracy of the data;
- The processing is unlawful;
- The controller no longer needs the data for the purposes of processing but it is required by the data subject for the establishment, exercise or defence of legal claims; or
- The data subject has objected to the processing of their personal data (Article 18 of the GDPR).
- Right to data portability: Under this right, the data subject has the right to:
-
- receive all personal data concerning them which they have provided to a controller in a structured, commonly used and machine-readable format; and
- transmit this data to another controller without hindrance from the original controller.
- The data subject may exercise this right if the processing is:
-
- based on consent; or
- carried out by automated means (Article 20 of the GDPR).
- Right to object: Under this right, the data subject has the right to object at any time – on grounds relating to their particular situation – to the processing of their personal data which is based on the performance of a task carried out in:
-
- the public interest; or
- the legitimate interests of the controller.
- This right also applies when data is processed for the purposes of direct marketing (Article 21 of the GDPR).
7.2 How can data subjects seek to exercise their rights in your jurisdiction?
With respect to the obligation to provide information (Articles 13 and 14 of the GDPR), this responsibility falls within the remit of the controller's activities. This means that the controller is obliged to take proactive steps to fulfil this obligation. In other respects, the action is initiated by the data subject. This primarily involves the submission of an appropriate request. The controller is then obliged to verify the request, including checking whether it is submitted by an authorised person.
7.3 What remedies are available to data subjects in case of breach of their rights?
The GDPR provides for several legal remedies. In addition to the rights outlined in question XX, the data subject may, in particular, pursuant to Article 77 of the GDPR, lodge a complaint with a supervisory authority if they consider that the processing of their personal data infringes the provisions of the GDPR.
8 Compliance
8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?
Under Article 37(1) of the General Data Protection Regulation (GDPR), the appointment of a data protection officer (DPO) is mandatory in Poland under the following circumstances:
- Public authorities or bodies must appoint a DPO, except for courts acting in their judicial capacity.
- A DPO must be appointed where the core activities of the controller or processor consist of processing operations which, by their nature, scope or purpose, require regular and systematic monitoring of data subjects on a large scale.
- A DPO must be appointed where the core activities of the controller or processor consist of the processing on a large scale of:
-
- special categories of personal data (as per Article 9(1) of the GDPR); or
- personal data relating to criminal convictions and offences (as per Article 10 of the GDPR).
For cases not falling under these criteria, the appointment of a DPO is voluntary.
Failure to appoint a DPO when required may lead to:
- regulatory investigations by the Personal Data Protection Office (PUODO); and
- administrative fines under Article 83 of the GDPR, which may reach up to €10 million or 2% of global annual turnover, whichever is higher.
8.2 What qualifications or other criteria must the data protection officer meet?
Under Article 37(5) of the GDPR, a DPO must be appointed based on professional qualifications – especially:
- expert knowledge of data protection law and practices; and
- the ability to perform the tasks listed in Article 39 of the GDPR.
The required expertise depends on the nature, complexity and scale of the data processing. The DPO should have:
- strong knowledge of EU and national data protection laws, including the GDPR;
- practical understanding of data protection operations, including IT and security;
- sector-specific knowledge and familiarity with the organisation's activities; and
- for public bodies, knowledge of administrative procedures.
A DPO should demonstrate:
- professional integrity;
- independence; and
- a compliance-oriented approach.
Their key responsibilities include:
- supporting GDPR compliance;
- promoting a data protection culture; and
- advising on issues such as:
-
- data subjects' rights;
- risk assessments; and
- breach notifications.
8.3 What are the key responsibilities of the data protection officer?
According to Article 39 of the GDPR, the DPO's main responsibilities include:
- informing and advising the controller, processor and employees on their data protection obligations under the GDPR and national laws;
- monitoring compliance with the GDPR, other applicable data protection laws and internal policies, including by:
-
- assigning responsibilities;
- raising awareness;
- providing staff training; and
- conducting audits;
- advising on data protection impact assessments (DPIAs) and monitoring their performance (Article 35 of the GDPR);
- cooperating with the supervisory authority (eg, PUODO); and
- acting as a contact point for the supervisory authority on issues related to processing, including prior consultations (Article 36), and consulting internally on data protection matters.
The DPO must carry out these tasks with due regard to the risks associated with data processing operations, considering the nature, scope, context and purposes of the processing.
8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?
Under Article 37(6) of the GDPR, it is permissible to outsource the role of the DPO to an external service provider based on a service agreement. This agreement is not considered a data processing agreement because its subject is not the processing of personal data on behalf of the controller, but rather the performance of DPO duties as specified in Article 39 of the GDPR.
8.5 What record-keeping and documentation requirements apply in the data privacy context?
Record of processing activities (ROPA): Under Article 30 of the GDPR, controllers must keep a ROPA that documents, among other things:
- the purposes of the processing;
- the categories of personal data processed;
- the recipients of the data (including third-country entities);
- security measures (eg, encryption, access controls); and
- the planned data retention periods.
Processors must maintain a record of categories of processing activities, focusing on operations carried out on behalf of the controller.
Organisations with fewer than 250 employees may be exempt unless the processing:
- is regular;
- involves special category data; or
- poses a high risk to individuals' rights
Data breach register: According to Article 33(5) of the GDPR, controllers must document all personal data breaches in a register, even those that do not require notification to the PUODO.
The register must include:
- a description of the breach;
- the date on which the breach was detected;
- the approximate number of affected individuals;
- the potential consequences of the breach; and
- the remedial actions taken.
DPIA: Under Article 35 of the GDPR, organisations must conduct and document a DPIA where the processing is likely to result in a high risk to individuals' rights – for example, in the case of:
- large-scale processing;
- the use of special category data; or
- innovative technologies.
Other documentation requirements include the following:
- Consent records: Controllers must retain evidence of data subject consent for as long as the processing continues.
- Data retention policies: Organisations should develop written data retention schedules defining the length of time for which different categories of personal data are kept.
8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?
From a compliance perspective, organisations must:
- ensure data minimisation and purpose limitation, collecting only necessary data for specific purposes with a lawful basis such as consent or legal obligation;
- respect data subjects' rights by acting promptly on access, correction, erasure and objection requests;
- integrate privacy by design and default into systems, along with technical safeguards such as encryption;
- conduct DPIAs for high-risk processing;
- have clear breach notification procedures;
- manage third-party processors through contracts and monitor compliance;
- appoint a qualified, independent DPO when required; and
- implement regular staff training, audits and updates to policies help maintain ongoing compliance and demonstrate accountability.
9 Data security and data breaches
9.1 What obligations apply to data controllers and processors to preserve the security of personal data?
Data controllers and processors are required under Article 32 of the General Data Protection Regulation (GDPR) to implement appropriate technical and organisational measures to ensure a level of security proportional to the risk. These measures should consider:
- the state of technical knowledge;
- implementation costs;
- the nature, scope, context and purposes of the processing; and
- the likelihood and severity of risks to individuals' rights and freedoms.
Such measures may include:
- pseudonymisation and encryption of personal data;
- measures to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to quickly restore data availability after physical or technical incidents; and
- regular testing and evaluation of the effectiveness of security measures.
The adequacy of security is assessed in particular with regard to risks such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data. Furthermore, anyone authorised by the controller or processor to access personal data must process it only on the controller's instructions, unless otherwise required by law.
9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
Data breaches must be reported to the supervisory authority:
- without undue delay; and
- where feasible, no later than 72 hours after becoming aware of the breach, unless it is unlikely to result in a risk to the rights and freedoms of individuals.
If the notification is late, the controller must provide reasons for the delay.
The breach notification to the supervisory authority must include at least:
- a description of the nature of the breach, including:
-
- the categories and approximate number of data subjects affected; and
- the data records involved;
- the name and contact details of the data protection officer (DPO) or another contact point where more information can be obtained;
- a description of the likely consequences of the breach; and
- a description of the measures taken or proposed to:
-
- address the breach; and
- mitigate its possible adverse effects.
If all information is not available at once, it can be provided progressively without undue delay.
The processor must notify the controller without undue delay after becoming aware of a breach.
Additionally, the controller is required to document all breaches – including their facts, effects and remedial actions taken – to enable the supervisory authority to verify compliance.
9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
Under Article 34 of the GDPR, data controllers must notify affected data subjects without undue delay if a personal data breach is likely to result in a high risk to the rights and freedoms of individuals.
The notification to data subjects must:
- be communicated in clear and plain language;
- describe the nature of the data breach; and
- include at least the information and measures specified in Articles 33(3)(b), (c), and (d) of the GDPR – that is:
-
- the contact details of the DPO or other contact point;
- the likely consequences of the breach; and
- the measures taken or proposed to:
-
- address the breach; and
- mitigate its possible adverse effects.
Notification to the affected individuals is not required if:
- the controller has implemented appropriate technical and organisational protection measures (eg, encryption) that make the data unintelligible to unauthorised persons;
- the controller has taken subsequent measures that eliminate the high risk to data subjects; and
- notifying individuals would involve a disproportionate effort – in such cases, a public communication or similar measure must be made to inform the data subjects effectively.
If the controller has not yet informed the data subjects, the supervisory authority may:
- require notification if it considers that the breach poses a high risk; or
- determine that the exceptions apply.
9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?
Documenting all breaches (Article 33(5) of the GDPR): Controllers must document every personal data breach, including:
- the facts of the breach (what happened, causes, data affected);
- the effects and consequences of the breach; and
- the remedial actions taken.
This record enables the supervisory authorities to verify compliance.
Internal breach register: Controllers are encouraged to maintain an internal register of breaches, which can be part of the record of processing activities (Article 30 of the GDPR).
Documenting decision-making: Controllers should document:
- the reasoning behind decisions such as why a breach was not notified (eg, considered low risk);
- the justifications for delayed notifications.
- if notification to individuals is made, evidence of the communication, including timeliness and content.
Notification procedures: Controllers and processors should have a documented breach notification procedure, outlining steps for:
- detection, containment, management and recovery; and
- risk assessment and notification to authorities/individuals.
Employees should be trained on this procedure and know how to respond.
DPO involvement and tasks (Articles 37 and 39 of the GDPR): The DPO should:
- advise on data protection and GDPR compliance;
- monitor compliance and assist with DPIAs; and
- act as liaison with supervisory authorities and data subjects.
10 Employment issues
10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?
In the Polish legal system, the processing of employees' personal data is subject to special protection under the General Data Protection Regulation (GDPR) and the Labour Code. Employers, as data controllers, must follow the principle of data minimisation, collecting only data necessary for employment purposes or required by law. According to Article 22(1) of the Labour Code, before hiring, employers may request basic personal details, education, qualifications and employment history only if relevant to the job.
After employment begins, additional data (eg, address, national identification number) and family information may be collected if needed to exercise labour rights.
The processing of sensitive data, such as health information or details of religious beliefs, is generally prohibited unless consent is given. Employers must:
- inform employees about the purpose, scope and legal basis of data processing; and
- respect their dignity and rights.
Personal data cannot be used unlawfully or shared without a legal basis. When transferring data within a corporate group or partners, proper protections and notifications must be ensured.
10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?
In Poland, employee surveillance is allowed but is strictly regulated under Articles 22(2) and (3) of the Labour Code. Employers may introduce video monitoring of the workplace or its surroundings only if necessary to:
- ensure employee safety;
- protect property;
- control production; or
- safeguard confidential information that could harm the employer if disclosed.
Monitoring cannot cover union offices, sanitary facilities, changing rooms, canteens or smoking areas, unless this is:
- absolutely necessary; and
- done in a way that respects employee dignity.
Prior consent from union representatives or employee representatives is often required in this regard.
Recorded footage must be:
- used solely for the purposes for which it was collected; and
- stored for no longer than three months, unless needed as evidence in legal proceedings, in which case retention extends until the case concludes. After these periods, recordings containing personal data must be destroyed unless other laws require otherwise.
The scope, purpose and methods of monitoring must be defined in:
- collective agreements;
- workplace regulations; or
- employer announcements.
Employers must:
- inform employees at least two weeks before monitoring starts; and
- provide written information before employment begins.
Monitored areas must be clearly marked with visible signs or audible announcements at least one day prior to activation.
Employee email monitoring is permitted only where necessary to ensure:
- proper organisation of work; and
- effective use of working time and tools.
However, it must not violate the secrecy of correspondence or other personal rights of employees. The same notification and transparency rules apply to email and any other necessary forms of monitoring.
10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context
Joint controllership in a group of companies: When several entities in a corporate group jointly decide on the purpose and means of data processing, they act as joint controllers under Article 26 of the GDPR.
Key obligations include the following:
- Joint arrangements: Clearly define respective roles and responsibilities, particularly regarding:
-
- transparency;
- responding to data subjects' rights; and
- legal compliance.
- The core content of the arrangement must be accessible to employees.
- Single point of contact: It is good practice to appoint a data protection officer as the central point for data subjects.
- Full rights enforcement: Employees may exercise their GDPR rights against any one of the joint controllers, regardless of internal agreements.
- Commencement of employment relationship: The employer must keep personnel files and meet data protection obligations. Generally, making photocopies of identity documents is not allowed, as it may involve collecting unnecessary data. Some personal life details (eg, marriage, court summons) may be stored if needed to grant specific employee rights.
- On hiring of a candidate: The employer must provide updated information under the GDPR, since the purpose and scope of data processing will change. This can be done by:
-
- issuing the recruitment clause; or
- giving a new information notice after employment starts.
- Social media: As a rule, employers and recruitment agencies are not allowed to collect personal data about job candidates from social media or other publicly available sources. Although candidates may build their online presence intentionally, it does not justify using such information in recruitment. Doing so can lead to unfair profiling and negatively influence the assessment of a candidate.
11 Online issues
11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?
- User consent:
-
- Prior informed consent is required before storing or accessing cookies on a user's device.
- Consent must be freely given, specific, informed and unambiguous, typically through a clear action such as ticking a box or clicking "Accept" on a cookie banner.
- Clear information:
-
- Users must be provided with transparent information about:
-
- the types of cookies used;
- their purposes (eg, analytics, advertising); and
- the identity of any third parties that may access the data.
- This information is usually included in a cookie policy or privacy notice.
- Right to withdraw consent:
-
- Users must be able to easily withdraw their consent at any time.
- Websites should offer cookie settings or controls to allow users to manage preferences.
- Data protection compliance: If cookies collect personal data (eg, IP addresses, user behaviour), their use must comply with General Data Protection Regulation (GDPR) principles, including:
-
- legal basis (typically consent);
- data minimisation;
- purpose limitation; and
- security measures.
11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?
Under the Polish legal system, there are no specific regulations governing the protection of personal data in the context of cloud computing. Issues related to the cloud have been partially regulated in the Data Act, which will enter into force on 12 September 2025 and provides, among other things, for the facilitation of switching cloud service providers. Additionally, the Financial Supervision Authority (KNF) has issued a communication outlining the principles for the processing of information in the cloud by entities in the regulated sector.
However, neither the Data Act nor the KNF communication directly addresses the issue of personal data protection. In this respect, the general provisions on the protection of personal data apply.
11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?
From a marketing perspective, in the context of personal data, the GDPR states that the processing of personal data may be based on legitimate interests (Recital 47 of the GDPR) for the purposes of direct marketing. Direct marketing is a specific form of marketing in which messages are sent directly to individuals – for example, via email. Therefore, data controllers are not required to rely solely on the consent of the data subjects.
However, under Article 398 of the Electronic Communications Act, the use of automated calling systems or telecommunications terminal equipment for the purpose of sending commercial information is prohibited, unless the user has given their prior consent.
In other respects, general provisions of the GDPR apply to marketing activities. This means, in particular, that data controllers must fulfil their information obligation under Articles 13 and 14 of the GDPR, ensuring that individuals are properly informed about the processing of their personal data.
12 Disputes
12.1 In which forums are data privacy disputes typically heard in your jurisdiction?
There are no typical data protection disputes in Poland (ie, heard by civil courts). Instead, Polish citizens are very active in submitting complaints to the Data Protection Authority (DPA). The DPA reviews a few thousand such complaints annually. Proceedings related to such complaints are based on the General Data Protection Regulation and administrative procedure, which is a formal procedure that in most cases ends with a formal decision that may be challenged:
- before the administrative court in Warsaw; and
- then before the Supreme Administrative Court.
12.2 What issues do such disputes typically involve? How are they typically resolved?
Typically, data subjects' complaints are reviewed by the DPA. They generally involve:
- the processing of data for marketing purposes (eg, with the use of email or telephone);
- debt collection practices;
- credit scoring by banks;
- employment-related privacy issues; or
- the unauthorised disclosure of data.
12.3 Have there been any recent cases of note?
The most interesting cases relate to data breaches, as this aspect of data protection is particularly interesting for the DPA. In a few cases, significant fines were imposed on controllers in relation to such breaches. In recent months, the DPA has also issued interesting decisions related to data retention – in particular, in connection with the provision of financial services (credit scoring or legal claims).
13 Trends and predictions
13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
- It is expected that data processed with the use of AI models will be closely monitored by the Data Protection Authority (DPA).
- New laws relating to data were recently enacted or are on the horizon (eg, the Data Act, the Data Governance Act, the AI Act) and the DPA will provide clarity on how these impact on privacy.
- We anticipate that data breaches will be still at the top of the list when it comes to the most significant fines imposed by the DPA in the next 12 months.
14 Tips and traps
14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?
Controllers and processors should follow guidelines of the Data Protection Authority (DPA) on matters such as:
- the role of data protection officers; and
- data breaches.
It is also important to analyse new decisions of the administrative courts, as in many cases such decisions are contrary to what the DPA has said in its decisions.
Potential sticking points include the following:
- Over-collection of data: A persistent tendency to collect more data than necessary, often without a lawful basis or proper risk assessment.
- Lack of lifecycle planning: Organisations often fail to define clear data retention and deletion policies, increasing their exposure to unnecessary risks.
- Complex user interfaces: Poorly designed consent flows or privacy settings can discourage user engagement and lead to invalid consent.
- Third-party risks: Using third-party services without adequate safeguards or due diligence introduces vulnerabilities, especially with cross-border data transfers.
We would like to thank Adam Franiak for contributing to this chapter.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.