When it comes to protection of privacy and personal data, Poland has followed the EU standards and laws for many years and it seems likely that the country will prepare its legal framework for the General Data Protection Regulation (GDPR) on time. There is still some space for improvement (e.g., how fast data privacy matters are dealt with by the data protection authority), but it seems that this is not a Poland-specific issue.2
Data protection officers and experts are in high demand in both the public and private sectors. Several higher-education bodies offer postgraduate studies focused on privacy and there are GDPR events on a daily basis. The awareness in society regarding privacy is high and probably getting even higher in recent months because of the upcoming GDPR.
New legislation, not necessarily connected to GDPR, was enacted this year or will be enacted soon, including a law to counter terrorism and prevent hate speech on the internet. From many perspectives, and for different reasons, privacy is a topical issue and although there are still aspects that are expected to be regulated in the near future, there are some who may say it is already an overregulated area.
The GDPR will be a game changer not only for businesses, but also for the authorities. Both sides should spend well the few months that are left before 25 May 2018.
II THE YEAR IN REVIEW
This year we have seen a strong focus on preparation of the Polish legal framework for the implementation of the GDPR. The Ministry of Digital Affairs, which is responsible for the introduction of the GDPR into Polish law, published the first draft of the amended Act on the Protection of Personal Data on 23 March 2017. It was widely discussed and after a number of discussions and meetings another draft was published on 14 September. This was followed by a package of drafts of various legal acts where changes were necessitated by the upcoming GDPR. Within the reform package, changes to more than 60 legal acts were proposed, on more than 170 pages of legal text. The changes covered new wording of the E-Commerce Act, the Telecommunications Law, the Act on Insurance Activity, the Act on Payments and the Employment Law. Unfortunately, changes were not proposed for all the legal acts that should, in our view, be reviewed in light of the GDPR. For example, the package does not cover pharmaceutical law (including clinical trials). This, however, will be further discussed with the authorities.
At the same time, the year was full of GDPR-focused meetings with the regulators, legislative bodies, scientists, law practitioners and businesses. Notably, for the first time in Polish history, the International Association of Privacy Professionals held its KnowledgeNet meeting in Poland, attended by more than 120 privacy professionals.
Because of the fast-approaching deadline for the implementation of the NIS Directive3 on 1 March 2017, the Strategy for Cybersecurity for Poland for 2017–2022 was published by the Ministry of Digital Affairs.4 The document, consisting of almost 30 pages, describes key strategic directions and plans for the next five years. However, while Deputy Prime Minister Mateusz Morawiecki has confirmed that cybersecurity is one of the authorities’ priorities, and that it should be a Polish export product,5 there is still no draft law on cybersecurity.
III REGULATORY FRAMEWORK
i Privacy and data protection legislation and standards
Privacy law has its roots in the Constitution of the Republic of Poland of 2 April 1997,6 and in particular in Article 47, which guarantees the right of every citizen to a private life. This constitutional principle was further specified in Articles 23 and 24 of the Act of 13 April 1964 of the Civil Code,7 which protect the personal interests of natural persons.
Poland implemented EU Directive 95/46/EC8 by enacting the Act of 29 August 1997 on the Protection of Personal Data (the Act on the Protection of Personal Data).9 The Act follows the EU Directive and is in compliance with EU law. It is of a general nature and regulates the whole spectrum of processing of personal data by the entities to which the Act applies (including public bodies, associations, individual entrepreneurs and legal entities conducting businesses).
There are secondary regulations to the Act on the Protection of Personal Data that are specific to Poland. For instance, the Ministry of Internal Affairs issued a regulation regarding personal data-processing documentation and technical and organisational conditions that should be fulfilled by devices and computer systems used for personal data processing.10 Further, and also specifically Polish, in 2008 the Minister of Internal Affairs and Administration issued a regulation on the specification for a notification of a data filing system for registration with the Inspector General for Personal Data Protection (GIODO).
Data protection is also guaranteed by many sector-specific regulations. There are key legal acts covering data protection in the areas of banking law, insurance law, telecommunications, e-commerce, pharmaceuticals and health law, and other areas where sector-specific provisions regulating how data should be processed are present.
Notwithstanding this regulatory spread, it seems that GIODO has been less active when it comes to enforcement actions and inspections. According to publicly available statistics,11 in 2017, GIODO conducted 63 inspections (compared with 192 in 2016) and issued 1,281 administrative decisions (based on inspections and complaints from data subjects). The authority received 1,164 complaints in 2017, compared with 2,610 in previous year.
ii General obligations for data handlers
A data controller, when processing personal data, has to ensure:
- a legal grounds for personal data processing;
- b limitation of purposes for which personal data are processed;
- c time limitation of personal data storage;
- d relevancy and adequacy of the personal data processed by the data controller;
- e enforcement of data subjects’ rights; and
- f security of the personal data.
Legal grounds for personal data processing include, among others, consent of a data subject, necessity to exercise a contract with the data subject, necessity to exercise rights or duties arising from law, and legitimate interests. The data controllers often ask data subjects to grant their consent but, in fact, all other legal grounds should also be taken into account. Consent of a data subject may be easily withdrawn (at any time after its granting), so it is always worth considering checking out other legal grounds for personal data processing.
The data controller is obliged to inform data subjects about their rights. This information is usually provided by the data controllers upon asking the data subjects’ consent to the processing of their personal data. The information should include: name and address of the data controller, purpose of the data collection, data recipients or categories of data recipient, the existence of the right to access and rectify the data and whether providing the data is voluntary or obligatory. Even more categories of information have to be provided in a situation where the personal data are not collected directly from the data subject.
If the data controller outsources areas of its business, including personal data processing, the data controller is obliged to ensure the outsourced third party (called a data processor) takes proper care of the data. For this reason, the data controller is obliged to enter into a data processing agreement with the data processor. The data processing agreement should include a provision obliging the data processor to process the data solely within the scope of, and for the purpose determined in, the contract.
Moreover, the data controller has to give notice of data filing systems, in which personal data are collected, to the Polish data protection authority. The data controller has to provide the following information about its data filing systems: name and address of the data controller, legal basis for personal data processing, the purpose for the personal data processing, a description of the categories of data subjects and the scope of the processed data, information on the ways and means of data collection and disclosure, information on the recipients or categories of recipients to whom the data may be transferred, a description of the technical and organisational measures applied for the purposes of data security, and information relating to a possible data transfer to a third country. The data filing system notification should take place before the data controller starts processing the personal data. In practice, many data controllers submit the notification after creating a database and collecting personal data therein. There are numerous exemptions from the notification obligation, such as: processing of personal data in connection with an employment relationship; processing of personal data for the purposes of rendering healthcare services, notarial or legal advice, patent agent, tax consultant or auditor services; processing of personal data for the purposes of issuing an invoice or a bill or for accounting purposes; and processing publicly available data. The data controller is also exempted from the notification obligation if he or she has appointed (and registered) a data protection officer. This exemption does not work, however, if the data controller processes sensitive personal data in the data filing system.
The data controller is obliged to secure the personal data against loss or unauthorised access. For this reason the data controller has to apply organisational and technical means appropriate for the type of risk. Polish law requires also, however, that all data controllers apply certain measures that are enlisted in supplementary law provisions, no matter whether they are applicable to a given data controller. As an example, each data controller should apply a similar password policy (e.g., passwords consisting of at least eight characters, changed every 30 days). This solution has been criticised over the years as not meeting the needs of all data controllers.
iii Technological innovation and privacy law
As a member of the Article 29 Working Party, GIODO supports the Working Party view regarding employee monitoring.12 According to public statements by GIODO and its staff,13 the monitoring of employees is acceptable under Polish law, providing that the employees were informed about the monitoring, the monitoring is not excessive and it does not infringe any of the employees’ personal rights. It seems, therefore, that GIODO follows the judgment of the European Court of Human Rights in the case of Bărbulescu v. Romania.14
- a the user should be informed about the purpose of storing and using the information, and about the possibility of the user configuring the browser or service settings to set rules regarding the use of the information about the user;
- b the user, after receiving this information, consents to this use of his or her data; and
- c the information stored on the user’s computer does not cause a change in the settings of the user’s computer device or software.
Non-compliance with the cookie law may result in a financial penalty of up to 3 per cent of the infringer’s revenue from the previous year.16
In July 2017, GIODO published a broad analysis of the impact of location tracking on privacy.17 The analysis covers both the Act on the Protection of Personal Data and the GDPR.
According to the authority’s stated view, data collected with reference to location tracking should be considered personal data. Therefore, the general rules for processing such data should be applied. The key principles applying to location tracking are the principles of legality,18 expediency,19 adequacy,20 merit correctness,21 timeliness,22 and integrity and confidentiality.23 GIODO considers consent of the individual concerned to be the key legal basis for such processing.
As stated by GIODO within the analysis, just as telecom operators process a particular device’s location using base stations, database owners with mapped Wi-Fi access points process personal data when calculating the location of a particular smart mobile device. By specifying both objectives and the means of such processing, these entities become data controllers within the meaning of Article 7(4) of the Act on the Protection of Personal Data (or Article 4(7) of the GDPR).24
Following the most recent changes to the Polish law on unsolicited commercial information, the rules of using electronic devices for marketing purposes became unclear. It is forbidden to send commercial information by means of electronic communication (including emails, text messages and internet communicators) without the user’s consent.25 This prohibition is broadly interpreted: even a company logo or a marketing slogan used in an electronic signature may be treated as commercial information. Moreover, this prohibition relates not only to sending emails to private persons, but also to individuals who represent companies. There is also one more prohibition on the use of telecommunication devices or automated calling systems for direct marketing.26 Under this law, companies cannot make phone calls or send emails or text messages with their offers without users’ prior consent. As a result of these two types of prohibition, companies started asking users to grant consent to these two types of action, causing annoyance and lack of understanding on the part of the users.
Spamming may be punished under five different acts of Polish law (the Act on Provision of Services by Electronic Means, the Act on Combating Unfair Competition, the Act on Combating Unfair Market Practices, the Act on Competition and Consumer Protection and the Telecommunications Law) with a maximum financial penalty of up to 10 per cent of the previous year’s turnover. In practice, spammers and cold callers are rarely punished for their actions.
The new rules on the use of electronic devices for marketing purposes are expected with the adoption of the EU ePrivacy Regulation.27
iv Specific regulatory areas
One of most difficult aspects of processing personal data under Polish law relates to the employer–employee relationship. It is common practice for employers to process as much data as possible about employees and candidate employees. However, Polish employment law limits the scope of data than can be processed in such cases. Article 22(1) of the Act of 26 June 1974 on the Labour Code28 provides a list of the data that an employer can request from an employee or candidate employee, including date of birth, education and employment records. Courts have confirmed that employers are not allowed to process data other than those specified in the Labour Code, even with the employee’s consent, because of possible resulting imbalances between the employer and the employee.
The other interesting aspect regarding the processing of candidate employees’ and employees’ data concerns background checks. In practice, the verification of candidates’ past history is limited to the documents they present to the employer and to checking the references supplied (subject to certain conditions). In most parts of the private sector, it would be non-compliant to verify candidates’ criminal records, with an exception for cases such as the employment of bodyguards.
IV INTERNATIONAL DATA TRANSFER
Polish data protection law generally follows EU Directive 95/46/EC when it comes to international data transfers. As a general rule, personal data may be transferred outside the European Economic Area (EEA) if the destination country offers an adequate level of protection for such data. However, if this is not the case, the data controller may rely on one of the following legal bases as grounds for the transfer to the third country:
- a the transfer of personal data results from an obligation imposed on the data controller by provisions of law or by provisions of a ratified international agreement that guarantee an adequate level of personal data protection;
- b the data subject has given consent in writing for the transfer. Collecting consent is not always possible (e.g., in the case of employees, it should be always verified whether the consent has been freely given);
- c the transfer is necessary for the performance of an agreement between the individual concerned and the controller or takes place in response to the relevant individual’s request;
- d the transfer is necessary for the performance of a contract concluded in the interests of the data subject between the controller and another subject (e.g., in the case of travel agencies);
- e the transfer is necessary for reasons of public interest;
- f the transfer is necessary for the establishment of legal claims;
- g the transfer is necessary to protect the vital interests of the data subject (e.g., for health reasons);
- h the transfer relates to data that are publicly available (e.g., data that constitute an extract from a statutory public register); or
- i the transfer takes place upon consent of the data protection authority where the data controller provides adequate data protection safeguards, such as approved model contractual clauses or binding corporate rules.
According to statistics from GIODO,29 there were only five decisions of the authority in 2017 related to transferring personal data outside the EEA (compared with 11 in 2016). This probably results from the change to the Act on the Protection of Personal Data that led to using EU model clauses (instead of approval by GIODO) as a legal basis for the transfer.
V COMPANY POLICIES AND PRACTICES
Under Polish personal data protection law,30 each data controller who processes personal data with the use of IT systems is obliged to prepare and implement the following policies:
- a a security policy; and
- b instructions on managing the IT systems used for personal data processing.
The scope of these documents is set out in law and includes the following detailed information:
- a a list of buildings, premises or their parts comprising the area where the personal data are processed;
- b a list of data filing systems with an indication of software used for data processing;
- c a description of the structure of the data filing systems and indication of the contents of particular information fields and connections between them;
- d the method of transferring data between particular systems;
- e a definition of technical and organisational measures necessary to ensure confidentiality, integrity and accountability of the data being processed;
- f the procedures for granting authorisation to process data and registration of these authorisations in the computer system as well as an indication of the person responsible for the aforesaid activities;
- g the applied methods and means of authorisation and procedures connected with their management and use;
- h the procedures for the beginning, suspension and the end of work by the users of the system;
- i the procedures for making backups of the data filing systems and programs and software tools used for the data processing;
- j the method, place and period of storage of electronic information media containing personal data and backups;
- k the method of securing the computer system against malicious software;
- l the method of implementation of the requirements to keep records of recipients to whom the data have been disclosed and the dates and the scope of this disclosure; and
- m the procedures for executing the inspection and maintenance of systems and information media used for personal data processing.
The requirements as to the type of information that has to be collected by a data controller apply irrespective of its size or the scope of the personal data processed.
VI DISCOVERY AND DISCLOSURE
As a general rule, for the purposes of criminal proceedings, courts and prosecutors may demand any information and documents that may be needed for proceedings, including documents that contain personal data. There are specific provisions of law that relate to revealing personal data for the purposes of criminal proceedings held by authorities from EU countries.31 Disclosing personal data to such authorities by Polish institution requires their initial verification as to accuracy and completeness. A disclosing institution may impose certain requirements on data receivers, such as removing or anonymising personal data after a certain time, limiting the scope of personal data processed or refraining from informing data subjects about their personal data processing.
Apart from courts and prosecutors, there are numerous other authorities and institutions that may request a disclosure of information, such as the Polish police force, the Internal Security Agency, the Polish Foreign Intelligence Agency, the Polish Border Guard, the Military Intelligence and Military Counter-Intelligence Services, the Central Anti-Corruption Bureau and the Polish Military Police.
VII PUBLIC AND PRIVATE ENFORCEMENT
i Enforcement agencies
According to court judgments, GIODO is the body with authority to supervise and enforce compliance with the law in relation to the processing of personal data.32 Under Article 18 of the Act on the Protection of Personal Data, in the event of any breach of the provisions on personal data protection, the authority, ex officio or upon a motion of an individual concerned, by means of an administrative decision, shall order the restoration of the proper legal state, and in particular undertake (1) to remedy the negligence; (2) to complete, update, correct, disclose, or not to disclose personal data; (3) to apply additional measures protecting the collected personal data; (4) to suspend the flow of personal data to a third country; (5) to safeguard the data or to transfer them to other subjects; and (6) to erase the personal data. If the decision issued by GIODO is not followed, the authority may impose a fine of up to €50,000 for a legal person.
In addition, the criminal offences may be prosecuted by the prosecutor, based on Articles 49–54a of the Act on the Protection of Personal Data. According to the statistics published by GIODO on its website, the authority notified the prosecutor of possible criminal offences related to protection of personal data 11 times in 2017, compared with 36 such notifications in 2016.
ii Recent enforcement cases
One of the most discussed decisions issued by GIODO in 2017 is a decision related to the state-owned database of Polish citizens (PESEL). The inspection carried out by GIODO was based on information about probable non-compliant access of bailiffs to the PESEL database for the purpose of the proceedings conducted by the bailiffs in relation to debt collection. GIODO issued a decision against the Ministry of Digital Affairs on 12 September 2017, in which the authority ordered the latter to (1) develop and implement, by 31 December 2017, procedures to be followed in the event of an incident related to the protection of personal data processed under the PESEL register; (2) ensure, before 30 September 2017, that no more than one user can be provided with a certificate card allowing access to the PESEL register by means of tele-transmission; (3) modify, by 31 March 2018, the PESEL access application, so that it can provide a justification for the access to the data processed within the PESEL register; and (4) implement, until 31 December 2017, the software necessary for analysing system logs, including operations performed by users who were granted access to the PESEL registry.
The data protection regulator has also been active in the telecommunications sector. In recent decisions, upheld by the administrative courts, GIODO ordered telecommunications service providers to cease the practice of copying customers’ identification documents. These copies were produced at the point of finalising with customers the agreement for the provision of telecommunications services. The authority, supported by the Office of Electronic Communication, is of the view that this practice is contrary to the Telecommunications Law and the Act on the Protection of Personal Data, as it may result in the processing of data the scope of which is inadequate for the purpose of the agreement.
iii Private litigation
Private litigation in relation to privacy and personal data does not have much of a profile in Poland and case law is scarce in this field. Last year saw very limited proceedings related to infringement of privacy based on civil law and the right to dignity. One of the courts ordered, for example, that installing a CCTV camera in front of a private apartment does not infringe a neighbour’s right to privacy. As stated by the judge deciding the matter: ‘The applicable legal system also grants everyone the personal right to live in their apartment (home), free from disturbances and unrest, and the right to protect their property. These goods are subject to the same protection as the right to privacy.’33
VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS
Polish personal data protection law applies to foreign companies if they are located in a third country (a country outside the EEA) but process the personal data with the use of technical means located in Poland.34
Companies that act in international groups and have their branch (a local company) located in Poland, should take into account specifics of Polish personal data protection law that may be applicable to their Polish branches, such as:
- a a requirement to keep data protection documentation in Polish;
- b no option to market the goods or services of another group company on the basis of legitimate interest (only marketing of the branch’s own goods or services is allowed on this basis);
- c no option to resign from specific security measures that are required under Polish law (e.g., the requirement to change computer passwords every 30 days);
- d strict rules on processing of employees’ personal data (e.g., no option to ask an employee for their criminal record);
- e a lack of clear rules on collecting personal data via monitoring (e.g., CCTV monitoring); and
- f strict rules on obtaining consent for personal data processing (consent has to be explicit and cannot be a part of a contract or by-laws).
IX CYBERSECURITY AND DATA BREACHES
While there is no one general act regulating how data should be protected, there are a number of sector-specific regulations covering this issue. In relation to personal data, the key act is the Regulation of 29 April 2004 of the Ministry of Internal Affairs and Administration as regards documentation required to undertake personal data processing, and the technical and organisational conditions that should be fulfilled by devices and computer systems used for personal data processing. The regulation provides some standards for IT systems that process personal data. However, as the regulation is quite old, the standards are outdated and do not guarantee proper levels of security. As the GDPR and the NIS Directive will come into force soon, we anticipate changes regarding how personal data should be protected.
This year, the Ministry of Digital Affairs published the Strategy for Cybersecurity for Poland for 2017–2022.35 The Strategy outlines four goals to be achieved in the given time frame: (1) achieve capacity for nationally coordinated actions to prevent, detect, combat and minimise the impact of incidents that compromise the security of ICT systems relevant for the functioning of the state; (2) strengthen capacity to address cyberthreats; (3) increase national capacity and competence in cyberspace security; and (4) build a strong international position in cybersecurity.
Crimes that are committed online are regulated by (and prosecuted under) the Polish Criminal Code, which sets out the principles of criminal liability (e.g., in cases of accessing information without the authorisation of the owner). There are also some sector-specific regulations (e.g., for banks, there is ‘Recommendation D on the management of information technology areas and the security of the ICT environment in banks’).36
ii Data breaches
There is no general requirement for data controllers (or data processors) to notify a data breach either to the authorities or to data subjects. The only law that requires such notifications is the Telecommunications Law, where the entities providing public telecommunications services are required to notify the Office of Electronic Communications about data breaches. Under Article 174a of the Telecommunications Law, the telecommunications services provider is required to notify the authority about the breach as soon as possible, but not later than 72 hours after the incident. Based on Article 174a, Sections 3 and 4 of the Telecommunications Law, telecommunications services providers are also required to notify affected data subjects about such incidents if they may have a negative impact on individuals’ rights.
There were some significant data breaches this year. For instance, sensitive data of approximately 50,000 patients leaked from one of the public hospitals,37 and a similar number of records covering employees and contractors leaked from the private postal services provider.38 Also, the financial sector had its own problems with security. According to a press release,39 one of the leading providers of loan services was the victim of hackers and as a result suffered a leak of its customers’ data.
Businesses operating in Poland look forward to the final version of the package of legal acts that will implement GDPR. This covers key business sectors, such as banking, insurance, telecommunications and e-commerce. The GDPR will also be a game changer for the regulator itself, as it will face new, sometimes complicated, procedures. We can expect to see some uncertainty in the area of privacy law in the coming years, and from many perspectives.
At the same time, we are still awaiting general regulation of cybersecurity and implementation of the NIS Directive. Data breaches are also becoming more and more difficult to prevent, and the state and businesses should have proper tools to defend against criminal activity.
1 Anna Kobylańska and Marcin Lewoszewski are partners at Kobylańska & Lewoszewski Kancelaria Prawna Sp J.
3 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union
6 Journal of Laws No. 78, item 483, available in English at:
7 Journal of Laws 2014, Item 121 with amendments.
8 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
12 Working document on the surveillance of electronic communications in the workplace: ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2002/wp55_en.pdf.
15 Article 173, Section 1 of the Act of 16 July 2004 – Telecommunications Law.
16 Articles 209 and 210 of the Act of 16 July 2004 – Telecommunications Law.
17 Informacja GIODO o przetwarzaniu i dostępie do danych geolokalizacyjnych, available at
18 Article 23, Section 1(1) of the Act on the Protection of Personal Data.
19 Article 23, Section 1(2) of the Act on the Protection of Personal Data.
20 Article 26, Section 1(3) of the Act on the Protection of Personal Data.
21 Article 26, Section 1(3) of the Act on the Protection of Personal Data.
22 Article 23, Section 1(4) of the Act on the Protection of Personal Data.
23 Article 36 of the Act on the Protection of Personal Data.
24 Informacja GIODO o przetwarzaniu i dostępie do danych geolokalizacyjnych, p. 18, available at
25 Art. 10 sec. 1 of the Act of 18 July 2002 on Provision of Services by Electronic Means.
26 Art. 172 sec. 1 of the Act of 16 July 2004 – Telecommunications Law.
27 Proposal for the Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing EU Directive 2002/58/EC (Regulation on Privacy and Electronic Communications).
28 Journal of Laws 2014, Item 1502.
30 Article 36, Section 2 of the Act on the Protection of Personal Data, and Sections 4 and 5 of the Regulation of 29 April 2004 of the Minister of Internal Affairs and Administration as regards personal data processing documentation and the technical and organisational conditions that should be fulfilled by devices and computer systems used for personal data processing.
31 Act of 16 September 2011 on Exchanging Information With Investigation Institutions from EU Countries.
32 Judgment of the Provincial Administrative Court dated 23 November 2005, II SA/Wa 1488/05,
34 Article 3, Section 2 of the Act on the Protection of Personal Data.
35 See footnote 4.