I OVERVIEW

The approach to data protection and privacy is constantly changing in Poland. We no longer live in a time when, from the privacy perspective, direct marketing without consent was the most significant issue for large businesses and authorities. We are now in the era of big data, profiling and biometric tools. At the same time, we face new threats. We have seen several significant data breaches where banking data have been stolen (and later disclosed), and we are all too aware that the Polish legal framework is not adapting to the rapidly changing reality.

Inevitably, the Polish data processing system, as well as systems of other European Union Member States, are in the process of preparing their legal systems to the adoption of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), which, although already having come into force on 25 May 2016, shall not apply until 25 May 2018. It is hoped that the General Data Protection Regulation will be an up-to-date law, suitable for the contemporary needs of the privacy and data protection regime.

II THE YEAR IN REVIEW

Not only the European, but also the Polish national data protection system per se, were very productive in terms of new legislation. From the businesses point of view, the most significant change came into force on 19 May 2016 along with the amendment2 to the Act of 2 July 2004 on Freedom of Economic Activity3 (Act on Freedom of Economic Activity). The amendment introduced changes to the processing of personal data with respect to entrepreneurs who are natural persons. Accordingly, the Act of 29 August 1997 on the Protection of Personal Data4 (Data Protection Act) shall not apply to data of such entrepreneurs provided that such data are disclosed by the platform of the Central Register and Information on Economic Activity (Central Register). In practice, it means that regarding such data, controllers are, inter alia, no longer obliged to obtain a legal basis for the processing of personal data; notify and register databases with the Polish Inspector General for Personal Data Protection (Regulator); or fulfil notification obligations towards data subjects. Despite the above, appropriate data security and control as exercised by the Regulator are still required by law. In this regard, data controllers need to follow Data Protection Act irrespective of whether data were disclosed in the Central Register. In practice, oversight and control of the compliance of data processing will, in our view, be limited to verification of technical and organisational measures used by data controllers to ensure the protection of the processed data against alteration, loss, damage, destruction or access by unauthorised persons.

However beneficial the above amendment seems to be, it is important to stress that there is only a close (i.e., limited) catalogue of personal data disclosed by Central Register regarding which controllers are legally allowed not to follow the Data Protection Act requirements. In our opinion, the processing of such data along with new data that does not fall within the scope of this amendment would result in many cases of legal confusion, as the whole compilation would then have to be processed in accordance with the Data Protection Act.

Another interesting change that took place in 2016 resulted in a new social welfare programme called ‘Family 500 Plus’, which guarantees financial aid for large families. Accordingly, a new statute came into force starting 1 April 2016, due to which a large amount of personal data is being processed. Starting from 1 April 2016, thousands of databases created for the need of the new welfare programme are to be notified to the Regulator. The data controllers for such data are local municipalities, social welfare centres as well as regional provinces. According to the Regulator, there is no data breach or data leakage risk connected with the programme as long as the above-mentioned data controllers act in line with the respective data protection law and cooperate with more experienced information security administrators.5

As for recent legislative failures, the long-awaited draft of the Act on Video Surveillance was withdrawn from the legislation process in May 2016.6 It is hoped that a discussion of the new project will be reopened shortly, as the usage of CCTV cameras is still not regulated under Polish privacy and data protection law.

Over the past year, we have seen numerous incidents involving breaches of data and privacy protection, which have sparked a wide public debate about the shortcomings in Polish data privacy mechanisms. The biggest scandal concerned the publication of private conversations between prominent Polish politicians, illegally recorded by waiters in one of Warsaw’s top restaurants. On top of that, all of the files from the still-pending investigation of the case were recently published on Facebook. The leak released addresses, ID numbers and other personal data of officials who were questioned in the investigation, as well as other sensitive material.

Data privacy breaches also occurred in 2014 in the banking and finance sector. Erroneous settings of outgoing commercial e-mails (using CC rather than BCC) made the personal e-mail addresses of hundreds of clients available to the public.7 Similarly, in 2015, the Office for Competition and Consumer Protection made available to the public hundreds of e-mail addresses of clients who were enquiring about mortgage protection. In September 2015, a leading law firm became a victim of cybercrime when more than 100 gigabytes of data were stolen by a hacker, according to the press.8

Clearly, such data and privacy breaches are too high a price to pay for these new communication technologies.

III REGULATORY FRAMEWORK

i Privacy and data protection legislation and standards

Data protection law, as confirmed by the Polish Constitutional Tribunal,9 is just a part of the wider privacy law. The right to protect privacy has its origins in the Constitution of the Republic of Poland of 2 April 1997,10 and in particular Article 47 of the Constitution, which guarantees every Polish citizen the right to a private life, and Article 51, according to which only a specific statute may create an obligation to disclose personal information. The right to privacy is also regulated within the civil protection regime, namely in Articles 23 and 24 of the Act of 13 April 1964 on the Civil Code11 (Civil Code), which ensures remedies in the case of violation of personal interests. The protection of privacy may be also found in various specific laws, inter alia, the Act of 26 January 1984 on Press Law,12 which states in Article 14, Section 6 that information and data relating to private life cannot be published without the consent of the person involved unless it is connected directly to the activity of a public figure. As the restaurant recordings scandal has proven, in the competition between public figures’ right to privacy versus the public’s right to know about their political activities, the latter can be a winner. Privacy protection is also guaranteed by other sector-specific regulations, with the prime example being Articles 104 and 105 of the Act of 29 August 1997 on Banking Law,13 under which bank employees are obliged to secrecy regarding all information relating to banking operations.

The Data Protection Act was the first official manifestation of the progressive democratisation of public life in Poland and of the concern for the protection of privacy rights. Under the Act, ‘personal data’ only relate to information concerning an identified or identifiable individual (the data subject). The identification process cannot require an unreasonable amount of time, cost or personnel. The Act also differentiates between personal data and sensitive personal data. In line with Article 27 of the Data Protection Act, sensitive data encompasses personal data on racial or ethnic origin, political views, philosophical and religious beliefs, membership of political parties or trade unions, information on health and genetic code, as well as addictions, sex life and criminal records. The Data Protection Act generally prohibits the processing of sensitive data unless one of the bases for legalising such processing is met: for example, when the data subject expresses consent in writing. The requirement that such consent takes written form poses a particular problem in the online environment.

Under Polish law, criminal sanctions in relation to non-compliance with personal data processing regulations strongly encourage businesses to protect their information resources. The Data Protection Act lists comprehensive penal sanctions (in Articles 49–54a) with respect to the liability of the data controller or anyone else who ‘acts as the controller of databases’. Despite the possibility of the restriction or even deprivation of liberty, the sanction is usually a fine.

A data controller may authorise another subject, a ‘data processor’, to carry out the processing of personal data pursuant to a contract concluded in writing solely within the scope and for the purpose determined in the data transfer agreement. This agreement, and whether it takes written form, will always be verified by the Regulator during its inspections. It is therefore crucial to double-check whether such agreements are executed in line with the requirements of the Data Protection Act. The controller remains liable for the compliance with the Data Protection Act, while the processor is responsible only if it processes data in a way that is incompatible with the data transfer agreement or it fails to secure the data in accordance with the law.

ii General obligations for data handlers

Under the Data Protection Act, with only minor exceptions, data controllers are obliged to register databases containing personal data with the Regulator, which maintains a national open register of such databases. The data controller’s notification to the Regulator to register a database must contain all the information indicated by Article 41 of the Data Protection Act. The controller is obliged to inform the Regulator about any changes to the notification within 30 days of the date of the change. The notification is free of charge. Therefore, in practice, no personal data other than employee data can be processed without notifying the Regulator.

In some circumstances, there is also no obligation to register a database, such as when data are processed in association with employment contracts or services provided under civil law contracts (a full catalogue is provided in Article 43 of the Data Protection Act). Crucially, under a recent amendment (see Section II, supra), after 1 January 2015, a data controller who appoints a DPO will be exempt from the obligation to register its databases unless it processes sensitive data. However, the DPO him or herself is obliged to ensure compliance with the provisions on personal data by, for example, preparing scheduled and ad hoc reports for the data controller and, if requested, for the Regulator. The DPO also needs to keep internal registers of the databases processed by the data controller. In addition, as a consequence of the amendment, it is no longer mandatory to register databases that are maintained exclusively as paper versions.

Although a data controller may start processing personal data after notifying the Regulator, processing sensitive personal data is acceptable only after the registration of databases in the national register. Processing data means conducting any operation on that data, including collection, recording, disclosure and erasure. The principles of processing personal data are very rigid, in particular if they are sensitive personal data. Obtaining consent in written form – required for processing sensitive data – poses particular problems in the online environment. In most cases, a data controller who conducts online transactions or sends electronic questionnaires needs to obtain a ‘wet signature’ from each data subject whose sensitive data are being processed.

The right of a data subject to control the processing of his or her data constitutes a core privacy right in the Data Protection Act. Information regarding, for example, the data controller, and the purpose, scope or means of processing data can be obtained on request by the data subject. In Poland, the exemption from notifying a data subject about the processing of his or her data for, for example, statistical, archival or didactical purposes (a full catalogue is provided in Article 32, Section 4) refers only to cases when a data subject requests such information. The other side of the coin is the data controller’s informational obligations (Articles 24–25 of the Act), which must be met once data are collected directly or indirectly from a data subject.

A data subject may also request the correction, updating or erasure of data if such data are, for example, incomplete or no longer necessary for the purpose for which they were collected. Following the critical judgment on the ‘right to be forgotten’ (CJEU ruling in Google Spain SL, Google Inc v. Agencia Española de Protección de Datos, Mario Costeja González), 8,213 Poles have requested that their data be erased from Google. Around 39 per cent of those requests have been successful.14 Finally, in the event of data being processed for marketing purposes or transfers to other controllers, a data subject has a right to object to such processing.

iii Technological innovation and privacy law
Employee monitoring

Gauging the legitimacy of employee monitoring requires an analysis of both employment and data protection law. According to the Polish data protection authority’s guidelines and public statements, an employer is authorised to protect its property, and for this reason monitoring of employees can be justified. However, before putting such monitoring in place, each employee should be notified of the measures and purpose of the monitoring (e.g., via the employer’s internal regulations). In each case, such monitoring may be implemented only provided employees’ dignity and personal rights are fully protected. Constant monitoring is prohibited. The Regulator follows the guidelines on monitoring provided by Article 29 Data Protection Working Party.15

Cookies

Poland has adopted EU law concerning cookies. In accordance with Article 173, Sections 1–3 of the Telecommunications Law, cookies are generally allowed provided that the user has been informed about the use of cookies and has agreed to it. Information about the use of cookies should include the purpose of collecting data and the option to change the configuration of the software with regard to the cookies (i.e., the option to switch them off). Contrary to the general principle of the Polish Telecommunications Law, which requires direct consent, a user’s consent to cookies has an opt-out form, (i.e., the user agrees when he or she does not change a browser’s or service’s settings (Article 173, Section 2 of the Telecommunications Law)). There is no requirement to inform a user about the use of cookies if the cookies are used to provide telecommunications services or services delivered by the internet (information society services) and if these services were ordered by the user.

In practice, most Polish websites have a banner that pops up when a user visits a website for the first time. The banner contains concise information about the use of cookies and the option to switch them off. The user may accept the fact by clicking the ‘I accept’ box, or has the option to learn more about the cookies by choosing the ‘I need more information’ box’. After choosing the latter, the user is forwarded to a privacy policy page that gives more information about the cookies. Non-compliance with the law concerning cookies may result in a financial penalty of up to 3 per cent of the previous year’s income (Article 209, Section 1(27) and Article 210, Section 1 of the Telecommunications Law). In addition, a financial penalty of up to 300 per cent of monthly remuneration may be imposed on executives.

Location tracking

Location tracking is regulated by the Telecommunications Law for providers of telecommunications services, and by the Act on Personal Data Protection for all others. The Data Protection Act applies to location tracking as data collected by phones are seen as personal data as they allow the user to be identified.

The collection of location data generally requires a user’s consent (Article 166, Section 1(1) of the Telecommunications Law, Article 23, Section 1(1) of the Data Protection Act). The scope of information to be provided before requesting a user’s consent is laid down by law and includes information on which location data will be collected, the purpose of collection, the length of time the data will be retained and whether the data will be transferred to other entities (Article 166, Section 2 of the Telecommunications Law, Article 24, Section 1 of the Data Protection Act).

Location tracking does not require a user’s consent if the collected data is anonymised. In the case of providers of telecommunications services, this is set forth directly in Article 166, Section 1(2) of the Telecommunications Law. Other entities that collect location data do not need the user’s consent if they anonymise data as well. This follows from the fact that anonymised data do not constitute personal data in the meaning of the Data Protection Act, and as such do not fall within the regime of this Act. In accordance with the Regulator’s view, an international mobile equipment identity (IMEI) number can be seen as personal datum, as the providers of telecommunications services may identify individuals by means of it, so location data containing an IMEI number cannot be regarded as anonymised.16

Telecommunications firms are only allowed to transfer location data to other entities if the data are to be used to provide services. Transferred location data cannot be used for marketing purposes (Article 166, Section 4 of the Telecommunications Law).

Electronic marketing

Under Polish law, sending unsolicited commercial information by means of electronic communications (e.g., e-mails, messages via an internet communicator) is not allowed without the addressee’s consent (spamming, Article 10, Section 1 of the Act on Provision of Services by Electronic Means). The same applies to contacting phone users, either by calling (cold calling) or by sending an SMS for marketing purposes (Article 172, Section 1 of the Telecommunications Law). The consent has to be directly expressed (opt-in) and cannot be inferred from any other statements. There should be an option to withdraw such consent at any point (Article 4, Section 1 of the Act on Provision of Services by Electronic Means, and Article 174 of the Telecommunications Law).

Spammers may be punished within criminal proceedings by a fine of up to 5,000 zloty (Article 24 Section 1 of the Act on Provision of Services by Electronic Means). Spamming is also an act of unfair competition, and the sender may be sued by its competitors or industry organisation (Article 10 Section 3 of the Act on Provision of Services by Electronic Means, and Articles 18 Section 1 and 19 Section 1(2) of the Act on Combating Unfair Competition). Spamming is also an unfair market practice, and a sender may be sued by consumers or their representatives (Articles 9(3) and 12, Sections 1 and 2 of the Act on Combating Market Practices). Further, spamming may be found to be a practice that infringes collective consumer interests by the President of the Office of Competition and Consumer Protection, who can impose a financial penalty of up to 10 per cent of the previous year’s turnover (Article 24, Section 1(3) and Article 106, Section 1 of the Act on Competition and Consumer Protection). Similarly, cold calling and spamming may be punished by the President of the Office for Electronic Communications with a financial penalty of up to 3 per cent of the previous year’s income. In such cases, a financial penalty of up to 300 per cent of their monthly remuneration may also be imposed on company executives (Article 209(25) of the Telecommunications Law).

Although there are many consequences under Polish law for sending unsolicited commercial communications or contacting phone users without their consent, in practice spammers and cold callers are hardly ever punished for their actions. Compliance with the law is, therefore, only important as regards brand image.

iv Specific regulatory areas

Polish privacy rules are applicable to specific subjects – a prime example is employees. The Act of 26 June 1974 on the Labour Code17 (Labour Code) specifically lists the data that an employer may request from an employee or candidate employee, such as date of birth, education and employment record. Case law confirms that employers are not allowed to process data other than those specified in the Labour Code, even with the employee’s consent, since it would constitute a circumvention of law.18 The most controversial issue is processing employees’ biometric data, monitoring IT hardware and software, and the legality of CCTV cameras in the workplace. See Section VII.ii, infra, for a discussion of case law and relevant rulings.

Medical information constitutes sensitive data. Such data are regulated under a stricter regime. Nonetheless, processing medical data is acceptable in some cases, such as when data subjects have provided written consent, or where there is a special provision authorising such processing. Article 24, Section 2 of the Act of 6 November 2008 on Patients’ Rights and the Ombudsman for Patients’ Rights19 is one such provision, which expressly authorises doctors and nurses to obtain data contained in medical records. Besides that, employers can process particular medical information related to occupational health.

Other specific subjects of data protection are school-age children and students. The regulator has passed many decisions enhancing the protection of their data: for example, stating that sharing students’ grades, along with their image on the internet, is illegal without the students’ consent.20 There is, however, no separate legal act dealing with children’s privacy (such as the US law the Children’s Online Privacy Protection Act, or similar).

Article 161, Section 2 of the Telecommunications Law sets the scope of personal data that may be processed by providers of publicly available telecommunications services. The data include name and first names, parents’ first names, place and date of birth, address, Polish national identification number,21 ID number or passport number. Upon the individual’s consent, the provider may process a bank account number or phone number.

IV INTERNATIONAL DATA TRANSFER

Polish data protection law differs from many other EU countries’ legislation when it comes to transferring personal data internationally.

Until recently, neither standard contractual clauses accepted by the EU Commission (EU Model Contract Clauses) nor binding corporate rules were recognised by the Regulator, GIODO, as a sufficient legal basis for such transfers. Both instruments required authorisation from the Regulator after a time-consuming procedure.

This situation changed after the amendment came into force. Under the new law, the Regulator’s authorisation is not required if the data controller ensures adequate safeguards for the protection of privacy and the rights and freedoms of the data subject by executing the standard contractual clauses approved by the European Commission in accordance with Article 26, Paragraph 4 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, or legally binding rules or policies of protection of personal data, also referred to as ‘binding corporate rules’, approved by the Regulator in accordance with Polish data protection law. The Regulator must approve binding corporate rules, adopted within a group of business entities, for the transfer of personal data by the data controller or data processor belonging to the same group to another controller or data processor located in a third country. Before approving binding corporate rules, the Regulator may consult the relevant data protection authorities of EEA countries on whose territory the entities belonging to the same capital group as the applicant are established, providing them with the necessary information. When issuing its decision, the Regulator takes into account the results of the consultations with authorities from other EU countries, and if the binding corporate rules have been the subject of a decision of the data protection authority of another EEA country, may take this decision into consideration.

After the amendment came into force, the Polish data protection authority issued at least three decisions in relation to the acceptance of the binding corporate rules. All of them were positive for data controllers.22

V COMPANY POLICIES AND PRACTICES

Polish data protection law requires very detailed internal documentation to be kept describing the processing of personal data. The content of such documentation is, to some extent, regulated under the Regulation of 29 April 2004 of the Minister of Internal Affairs and Administration as regards personal data processing documentation and the technical and organisational conditions that should be fulfilled by devices and computer systems used for personal data processing.

Under this Regulation, each data controller, irrespective of its size or the purpose of processing data, should hold the following internal documents:

  • a security policy;
  • b instructions on the management of computer systems used for personal data processing;
  • c authorisations for the processing of personal data; and
  • d a register of the authorisations.

These documents must be held in writing (on paper) for evidence purposes. However, in practice, authorisations to process personal data are held in electronic form only.

Because of the changes to Polish data protection law, the role of the data privacy officer (DPO) also changed. After the changes, only persons who meet the following criteria can be assigned the role of DPO: persons with full legal capacity and full civil rights, adequate knowledge of the protection of personal data and a clean criminal background. In practice, in larger organisations, a dedicated DPO is appointed, whereas in smaller ones, a person responsible for IT or HR fulfils the DPO role.

Controversially, a DPO should be in a position to perform his or her duties independently, regardless of whether he or she is an employee of a data controller. Until 31 December 2014, appointing a DPO was an obligation for legal entities acting as data controllers. The amendment states that this is no longer mandatory. Thus, a data controller may consider all pros and cons before deciding on such an appointment. On the other hand, if a data controller does not appoint a DPO, the data controller will have to assume the DPO’s duties. Appointing a DPO in a company may significantly ease data circulation, not only because of the exemption from registration requirements (see Section III.ii, supra), but also for many other reasons. Among them is transparency of processing data, resulting in regular and ad hoc reports by the DPO. The DPO’s independence and knowledge should, on the one hand, accelerate decision processes regarding data and, on the other, ensure compliance with the Data Protection Act.

As a small point on practices concerning marketing and sending of newsletters, to avoid spamming, IAB Poland, an association of firms in the internet sector, recommends in its ‘Good Practices for Email Marketing’23 a double opt-in system when requesting consent for sending newsletters. A subscriber gives consent the first time he or she gives his or her e-mail address. The subscriber then receives a message with an activating link, sent to the given e-mail address. After clicking the link, the subscriber is put on the subscribers’ list. The double opt-in system has become a recognised practice also used by firms that do not belong to IAB Poland.

Other practices are covered by the codes of good conduct accepted or negotiated by the Regulator in, for example, the automotive24 or insurance sectors.25

VI DISCOVERY AND DISCLOSURE

Internal investigations are not precisely regulated under Polish law. An analysis of several legal acts is required, with the Data Protection Act, Labour Law and the Civil Code at the top of the list.

Unfortunately, there are no clear guidelines from the Regulator or jurisprudence regarding internal investigations. However, accessing, for example, employees’ private mailboxes, pictures or other data may be considered a breach of the Polish data protection law (and privacy). This is due to the fact that as a general rule, the scope of data that can be accessed (processed) by an employer (acting as data controller) is provided within the Labour Law.26 As a result, an employer may not access an employee’s private information stored on his or her computer without the employee’s consent or other legal basis, such as a legitimate purpose of the data controller. We should stress that, according to the Polish data protection authority and courts, processing an employee’s data based on consent is questionable.

As a general rule, during criminal proceedings, investigation processes are possible under an order from the prosecutor or courts based on criminal law procedure. Further, according to Article 218, Section 1 of the criminal law procedure, government bodies, institutions and entities operating in the field of mail delivery, or telecommunications operators, customs offices and institutions, as well as transport companies, are obliged to provide a court or prosecutor, upon request by means of a court order or prosecutor’s order, correspondence, parcels and data, as well as other information referred to in the Act of 16 July 2004 – the Telecommunications Law,27 if such data is relevant for the proceedings. Only the courts or the prosecutor are entitled to such correspondence, parcels and data, or to open them.

Apart from the courts and public prosecutors, the following agencies may request the disclosure of the records to facilitate cooperation with the courts or prosecutors: inter alia, the police, the Internal Security Agency, the Intelligence Agency, the Border Guard, the Military Intelligence and Military Counter-Intelligence Services, the Central Anti-Corruption Bureau and the military police.

VII PUBLIC AND PRIVATE ENFORCEMENT

i Enforcement agencies

The only competent authority in charge of personal data in Poland is the Regulator, GIODO, a body appointed and dismissed by the Polish parliament, with a tenure of four years. Since November 2010, GIODO has been an official member of the Global Privacy Enforcement Network, a world network of enforcement of privacy laws.

By applying the enforcement measures provided in the Act on Enforcement Proceedings in Administration of 17 June 1966,28 GIODO needs to ensure that non-monetary obligations arising from its decisions (e.g., a decision ordering the removal of violations of the Data Protection Act) are performed by the obligees. Lack of documentation, or other data protection misconduct, can be subject to a fine of up to (about) €12,500 per breach in the case of legal persons and up to €2,500 per breach for individuals. The maximum penalties for legal entities are €50,000 for not following the Regulator’s decision. In addition to those penalties that can be imposed under the administrative procedure, illegally processing personal data can constitute a criminal offence and can be punishable by up to two years’ imprisonment, in accordance with Articles 49–54a of the Data Protection Act.

ii Recent enforcement cases

In one of the most recent enforcement cases, GIODO issued a decision that forced one of the largest global social networks operating in Poland through a subsidiary (being a limited liability company) to apply Polish data protection law. The Polish subsidiary, owned by a US company, ‘F.’, was considered a controller of data of Polish users of the social network. As a result, and based on information collected by the regulator, it was also forced to delete personal data of a data subject from the infrastructure of the ‘F.’ social network. The case forms a precedent, as until recently it was not clear whether GIODO could issue decisions towards Polish subsidiaries of foreign entrepreneurships operating online. In most cases, such subsidiaries are active only in marketing and PR, and do not process (e.g., store, display) any personal data. The Regulator followed the European Union Court of Justice decision in cases C-131/12 and C-230/14, and decided that, in practice, the subsidiary is an integral part of the larger business of a data controller, even if formally it does not process any personal data. As such, a subsidiary should meet all the legal requirements of Polish data protection law, and can also be an addressee of decisions issued by GIODO.

As for data breaches, including leaks of data, the results achieved so far in the restaurant-recordings case (outlined briefly in Section II, supra) are noteworthy. The Regulator has confirmed that, according to Article 49 of the Data Protection Act, the leak was clearly illegal and could result in penal liability. Moreover, it has been stressed that the Warsaw prosecutor’s office, acting as data controller, inadequately secured the victims’ data, and did not prevent the data from being stolen and simultaneously infringed under Article 51 of the Data Protection Act.29

Regarding the controversy of processing biometric data, it is crucial to refer to the consistent line taken in administrative court case law, according to which the proportionality principle (as stated in Article 26, Section 1(3) of the Data Protection Act) is used as the main rule when deciding on the processing of biometric data. Thus, the Supreme Administrative Court has upheld the view presented by the Regulator that using biometric data (such as fingerprints) to control the working hours of employees is disproportionate to the original purpose of its collection.30

As regards the most recent case law, on 14 July 2015 the Polish Constitutional Tribunal, in case K 2/13, held that speed cameras are unconstitutional and drivers’ privacy is significantly violated. Another interesting decision concerned video surveillance (usage of CCTV cameras). On 9 July 2014, the Voivodeship Administrative Court upheld the view presented by the Regulator that recordings from a ‘monitoring system’ may be deemed as a collection of personal data (a database), and thus be subject to the Data Protection Act.31 Clearly, this is the case only when such recordings enable the identification of individuals (as recorded data subjects). These two cases are good examples of recent case law providing ‘supplementary protection’ of privacy rights and acting as an effective defence against the impact of new technologies.

iii Private litigation

Private litigation is particularly visible in cases of violations of personal interests under Articles 23 and 24 of the Civil Code. Recent rulings concerning a claimant – a Sikh – alleging the infringement of his personal rights during a security check (when he was asked to take off his turban) serve as a clear example of this. Referring to international case law, the Supreme Court upheld that security checks are, by their nature, associated with a violation of passengers’ personal rights and, therefore, the claim was groundless.32 Another case regarding infringement of personal interests was a case concerning a short video uploaded on YouTube, where an 85-year-old woman with a hearing impairment called a police department, provided her personal data and notified the police that someone had set fire to a haystack that belongs to her family. The woman’s relatives sued the police department for unauthorised publication of the video on YouTube. The court of first instance ruled that the family shall receive 40,000 zloty in compensation, the police department should issue an apology to the family and the victim, and the video should be ‘deleted from all internet services’. The last of these commitments was unenforceable in practice.

In the latter case, in 2015, the Supreme Court ruled that the behaviour of third parties (internet users) cannot be regarded as a ‘result of an infringement of Article 24 of the Civil Code’, but the injured party has a right to be issued additional compensation from service providers (i.e., YouTube), as well as from all content providers (individuals who uploaded the video).33

Spamming may also result in private litigation. Spam can be deemed as an act of unfair competition, and the sender may be sued by its competitors or industry organisation (Article 10, Section 3 of the Act on Provision of Services by Electronic Means, and Article 18, Section 1 and Article 19, Section 1(2) of the Act on Combating Unfair Competition). Spam may also be seen as an unfair market practice, and may lead to consumers or their representatives (Articles 9(3) and 12, Sections 1 and 2 of the Act on Combating Market Practices) making claims.

VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS

It is crucial for foreign organisations to assess whether the Data Protection Act applies to their operations in Poland. Article 3 of the Act states that it applies to natural and legal persons and organisational units that are not legal persons if they are involved in processing personal data as part of their business or professional activity or the implementation of statutory objectives, and they have their seat or reside in Poland, or a third country if they are involved in processing personal data located in Poland by technical means.

In other words, the Data Protection Act only applies to foreign organisations in limited cases when they use a Polish legal entity, branch or representative office to process personal data. This may also be the case when data is processed without any formal structure in Poland but using IT resources located in Poland. This is, however, controversial, and should be analysed on a case-by-case basis.

IX CYBERSECURITY AND DATA BREACHES

i Cybersecurity

No single legal act deals generally with cybersecurity in Poland. However, principles of protection of IT systems from unauthorised access are regulated under the Regulation of 29 April 2004 of the Minister of Internal Affairs and Administration as regards documentation required to undertake personal data processing, and the technical and organisational conditions that should be fulfilled by devices and computer systems used for personal data processing. Minimum standards for IT systems that process personal data are set out in the appendix to that Regulation.

Cybercrimes are regulated by Chapter 23 of the Polish Criminal Code, which refers to crimes against the protection of information. According to police statistics, the most common offence is a violation of correspondence (1,901 acts in 2014 alone).34 The opening of private e-mails by employers constitutes the majority of these offences. The form of computer sabotage known as ‘hacking’ is the cybercrime with the lowest detection rate (with only 10 proceedings in 2014).35

ii Data breaches

Under the Telecommunications Law, entities that provide public telecommunications services are obliged to inform the Regulator about each infringement concerning personal data (e.g., loss or leakage of personal data). The Regulator has to be informed as soon as possible but not later than three days after the date of the incident (Article 174a, Sections 1 and 2 of the Telecommunications Law). A telecommunications undertaking also has to inform the user about the incident if the incident may have a negative impact on the user’s rights (i.e., may lead to unlawful use of personal data, property damage, infringement of personal rights, breach banking secrecy or any other professional secrecy laws (Article 174a, Sections 3 and 4 of the Telecommunications Law)). The user does not have to be informed if the data is technically protected as required by law (Article 174a, Section 5 of the Telecommunications Law). Telecommunications undertakings have to maintain a registry of personal data infringements (Article 174d, Section 1 of the Telecommunications Law).

The existing regulation seems to be insufficient. To adequately respond to rapid changes and developments in new technologies and cybersecurity, the government has introduced the Framework for Cybersecurity Protection 2011–2016, which clearly defines cybercrime and cyberspace and establishes the Polish Computer Emergency Response Team. This broad document proposes various administrative, structural, technical and educational measures to combat cybercrime.36

Following the changes introduced by the amendment to the Data Protection Act, DPOs are also required to notify data controllers about a data breach immediately after it learns about such an incident.

X Outlook

Most businesses look forward to adopting the new EU General Data Protection Regulation (GDPR). The GDPR itself will probably change the way Polish data controllers consider privacy, not only because of significant fines in cases of non-compliance, but also because of clearer rules on processing personal data in the new digital environment. For example, as it currently stands, Polish data controllers are unsure how data can be processed within big databases, how to profile natural persons or how to structure data protection within large organisations in a multinational environment. It is hoped that the GDPR will answer all these questions.

On the other hand, it will be interesting for businesses to see how the Regulator and the Office of Competition and Consumer Protection apply the new provisions of the Telecommunications Law when it comes to direct marketing (by phone or similar measures).

Last but not least, we are seeing strong interest in cybersecurity and data breaches. We expect there will be changes to the law regulating these, as more and more security incidents are seen. Hopefully, such changes will not bring too many formalistic requirements, but instead will lead to solid and practical solutions that will bring real improvements to the security of our data.

Footnotes

1 Tomasz Koryzma is a partner, Marcin Lewoszewski and Agnieszka Besiekierska are senior associates and Adriana Zdanowicz–Leśniak is a lawyer at CMS Cameron McKenna Greszta i Sawicki sp.k.

2 The Act of 25 September 2015 on the amendment to the Act on Freedom of the Economic Activity and other acts (Journal of Laws of 2015, Item 584 consolidated text with the amendments.)

3 Journal of Laws of 2016 with amendments.

4 Journal of Laws of 2014, Item 1182 with amendments.

5 The statement of the Regulator regarding the processing data with respect to the ‘Family 500 Plus’ is available in Polish at www.giodo.gov.pl/560/id_art/9154/j/pl.

6 The statement of Ministry of Internal Affairs – Mr Jarosław Zieliński made in a letter to Polish Ombudsman Mr Adam Bodnar is available in Polish at www.rpo.gov.pl/sites/default/files/Odp%20MSWiA%20monitoring%20wizyjny%2024.05.2016.pdf.

7 This happened to both Nordea Bank (over 600 clients) and Idea Bank (over 800 clients).

8 prawo.gazetaprawna.pl/artykuly/892135,znana-kancelaria-prawna-padla-ofiara-hakerow-
wyciekly-dane.html.

9 Decision from 12 November 2002, SK 40/01.

10 Journal of Laws No. 78, item 483, available in English at: www.sejm.gov.pl/prawo/konst/angielski/kon1.htm.

11 Journal of Laws 2014, Item 121 with amendments.

12 Act of 26 January 1984, Journal of Laws 1985, No. 5, item 24.

13 Journal of Laws 2012, Item 1336 with amendments.

14 Available at www.google.com/transparencyreport/removals/europeprivacy/?hl=pl.

15 Working document on the surveillance of electronic communications in the workplace: ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2002/wp55_en.pdf.

16 The Regulator’s statement in this respect can be found at di.com.pl/giodo-numer-imei-to-
nie-zawsze-dane-osobowe-22818.

17 Journal of Laws 2014, Item 1502.

18 Ruling of 1 December 2009, (I OSK 249/09).

19 Journal of Laws 2012, Item 59.

20 GIODO decisions (GI-DP-024/840/01), (GI-DP-024/284/01).

21 Powszechny Elektroniczny System Ewidencji Ludności (PESEL).

22 Decision of GIODO dated 9 June 2015, DESiWM-469/15 (unpublished).

23 IAB Poland Good Practices of Email Marketing, iab.org.pl/standardy-i-dobre-praktyki/dobre-praktyki-e-mail-marketingu.

24 The code is available at www.pzpm.org.pl/content/view/full/8054.

25 www.giodo.gov.pl/plik/id_p/4374/j/pl.

26 isap.sejm.gov.pl/DetailsServlet?id=WDU19740240141.

27 isap.sejm.gov.pl/DetailsServlet?id=WDU20041711800.

28 Journal of Laws of 2012, Item 1015.

29 Radio conversation with the Deputy of GIODO available at www.polskieradio.pl/5/3/Artykul/1458421,Wyciek-akt-z-afery-podsluchowej-GIODO-zostalo-zlamane-prawo.

30 Ruling of 2009 (I OSK 249/09).

31 Ruling of 2014 (II SA/WA 2393/13).

32 Ruling of 17 September 2013 (I OSK 439/13).

33 Ruling of 14 January 2015 (II CSK 747/14).

34 Available at statystyka.policja.pl/st/kodeks-karny/przestepstwa-przeciwko-14/63625,
Naruszenie-tajemnicy-korespondencji-art-267.html.

35 Available at statystyka.policja.pl/st/kodeks-karny/przestepstwa-przeciwko-14/63626,
Udaremnienie-lub-utrudnienie-korzystania-z-informacji-art-268-i-268a.html.

36 blog.e-odo.pl/wp-content/uploads/2015/08/Rządowy-Program-Ochrony-Cyberprzestrzeni-
RP-na-lata-2011-2016.pdf.