When it comes to protection of privacy and personal data, Poland has followed the EU standards and laws for many years and, in addition to the entry into force of the Polish Act on Personal Data Protection (the Act) on 10 May 2018, the country prepared its legal framework for the introduction of the General Data Protection Regulation (GDPR). There is still some room for improvement (e.g., how fast data privacy matters are dealt with by the data protection authority), but it seems that this is not a Poland-specific issue.2 Further legislative works are, however, needed, for example, in banking and insurance law.
Data protection officers and experts are in high demand in both the public and private sectors. Several higher-education bodies offer postgraduate studies focused on privacy and there are GDPR events on a daily basis. The awareness in society regarding privacy is high and probably increasing, owing to the fact that the GDPR is directly applicable. The e-Privacy regulation is also likely to increase this demand.
New legislation, not necessarily connected to the GDPR, was enacted in the previous year or will be enacted soon, including a law on counterterrorism and preventing hate speech on the internet. From many perspectives, and for different reasons, privacy is a topical issue and although there are still aspects that are expected to be regulated in the near future, there are some who say it is already an overregulated area.
II THE YEAR IN REVIEW
Between the end of 2017 and the first half of 2018 we have seen a strong focus on preparing the Polish legal framework for the implementation of the GDPR. The Ministry of Digital Affairs, which is responsible for the introduction of the GDPR into Polish law, published several drafts of the amended Act in February and March 2018. The draft Act was eventually put forward for consideration by the Polish parliament on 5 April 2018 and was adopted on 10 May 2018 and is now fully binding. In parallel to the adoption of the Act, the draft on the amendment of certain acts in connection with ensuring compliance with the GDPR has not yet been adopted into the Polish legal framework. It is still being worked on by the Council of Ministers. We point out that some of those sectoral provisions were incorporated and adopted in the Act, such as labour law, local government and banking law provisions. The basic and most needed provisions have been adopted and implemented in compliance with the GDPR.
Entities responsible for the implementation of the GDPR in Poland as well as private entities, such as lawyers, businesses and entrepreneurs, conducted trainings, lectures and events in order to familiarise themselves with the GDPR and its practical implementation.
In connection with the necessity to implement the NIS Directive,3 work on the draft law on the national cybersecurity system began on 8 January 2018 and was redirected to the Polish parliament on 30 April 2018. The last step taken towards the adoption of the above-mentioned was taken on 5 July 2018, which was the third and last reading at a Polish legislative proceeding. The Act on the National Cybersecurity System was signed by the President of Poland on 1 September 2018 and is now binding.
III REGULATORY FRAMEWORK
i Privacy and data protection legislation and standards
Privacy law has its roots in the Constitution of the Republic of Poland of 2 April 1997,4 and in particular in Article 47, which guarantees the right of every citizen to a private life. This constitutional principle was further specified in Articles 23 and 24 of the Act of 13 April 1964 of the Civil Code,5 which protect the personal interests of natural persons.
Poland implemented EU Directive 95/46/EC6 by enacting the Act of 29 August 1997 on the Protection of Personal Data (the Act on the Protection of Personal Data).7 The Act on the Protection of Personal Data followed the EU Directive and was in compliance with EU law. It was of a general nature and regulated the whole spectrum of processing of personal data by the entities to which the Act on the Protection of Personal Data applied (including public bodies, associations, individual entrepreneurs and legal entities conducting businesses). The Act on Protection of Personal Data (from 1997) as from 25 May 2018 is not binding
As of now, Poland is directly subject to provisions of the GDPR. However, it was necessary to adjust the national data protection provisions to new regulations and obligations resulting from the GDPR. Therefore, the Act, fully compliant with the GDPR, was adopted on 10 May 2018.
Data protection is also guaranteed by many sector-specific regulations. There are key legal acts covering data protection in the areas of banking law, insurance law, telecommunications, e-commerce, pharmaceuticals and health law, and other areas where sector-specific provisions regulating how data should be processed are present. As was stated before, sectoral regulations will be amended to bring them into line with the GDPR. Nevertheless, the legislative procedure has not yet been completed.
Notwithstanding this regulatory spread, it seems that the President of the Office of Personal Data Protection (PUODO (the name of the supervisory authority was changed by the Act; the previous name was the General Inspector of Personal Data Protection)) has been less active when it comes to enforcement actions and inspections. According to publicly available statistics,8 in the first half of 2018 (so before the entry into force of the GDPR), PUODO conducted 21 inspections (compared with 212 in 2017). There is no information on the number of received complaints in 2018. In comparison, in 2017 there were 2,950 submitted complaints.
ii General obligations for data handlers
A controller, when processing personal data, has to ensure:
- legal grounds for personal data processing;
- limitation of purposes for which personal data are processed;
- time limitation of personal data storage;
- relevancy, accuracy and adequacy of the personal data processed by the controller;
- enforcement of data subjects' rights; and
- security of the personal data.
Legal grounds for personal data processing include, among others, consent of a data subject, necessity to exercise a contract with the data subject, necessity of exercising rights or duties arising from law, and legitimate interests. The controllers often ask data subjects to grant their consent but, in fact, all other legal grounds should also be taken into account. Consent of a data subject may be easily withdrawn (at any time after its granting), so it is always worth considering other legal grounds for personal data processing.
The controller is obliged to fulfil an information obligation to inform data subjects about their rights. This information is provided at the first moment the data is gathered by the controller. The information should include: identity and contact details of the controller or data protection officer, the purpose and legal basis of the data collection, data recipients or categories of data recipient, possible transfer of personal data, storage period, whether the provision of personal data is a statutory or contractual requirement, the existence of rights to request from the controller as well as the right to lodge a complaint and information on the existence of automated decision-making, including profiling. Even more categories of information have to be provided in a situation where the personal data are not collected directly from the data subject.
If the controller outsources areas of its business, including personal data processing, it is obliged to ensure the outsourced third party (called a processor) takes proper care of the data. For this reason, the controller is obliged to enter into a data-processing agreement with the processor. The data processing agreement should include a provision obliging the processor to process the data solely within the scope of, and for the purpose determined in, the contract as well as imposing an obligation on the processor to sufficiently guarantee implementation of appropriate technical and organisational measures.
In case of an obligation to designate a data protection officer the controller notifies PUODO of data protection officers' designation providing contact details. The Act specifies that a person previously functioning as an information security administrator (under the Act on Personal Data Protection this was a similar position to a data protection officer) the date of application of the GDPR becomes by law the data protection officer. As a rule, the notification needs to be fulfilled within 14 days from date of designation. Notwithstanding, in a big simplification, transitional provisions of the Act indicate that if an information security administrator was not designated prior to application of the GDPR and the controller is obligated to designate a data protection officer, the notification needs to be fulfilled until 31 July 2018. However, if an information security administrator was designated and the same person will function as data protection officer or a different person will be designated as a data protection officer the notification needs to be fulfilled until 1 September 2018.
The controller is obliged to secure the personal data against loss or unauthorised access. For this reason, the controller has to apply organisational and technical means appropriate for the type of risk. Controllers are obliged to specify what technical and organisational measures are appropriate for their organisation as neither GDPR legislation nor the Act defines step by step what safeguards to implement.
iii Technological innovation and privacy law
- the user should be informed of the purpose of storing and using the information, and about the possibility of configuring the browser or service settings to set rules regarding the use of the information about the user;
- the user, after receiving this information, consents to this use of his or her data; and
- the information stored on the user's computer does not cause a change in the settings of the user's computer device or software.
Non-compliance with the cookie law may result in a financial penalty of up to 3 per cent of the infringer's revenue from the previous year.10
In July 2017, GIODO (now PUODO) published a broad analysis of the impact of location tracking on privacy.11 The analysis covers both the Act on the Protection of Personal Data and the GDPR.
According to the authority's stated view, data collected with reference to location tracking should be considered personal data. Therefore, the general rules for processing such data should be applied. The key principles applying to location tracking are the principles of legality,12 expediency,13 adequacy,14 substantive correctness,15 timeliness,16 and integrity and confidentiality.17 PUODO considers consent of the individual concerned to be the key legal basis for such processing.
As stated within the analysis, just as telecoms operators process a particular device's location using base stations, database owners with mapped Wi-Fi access points process personal data when calculating the location of a particular smart mobile device. By specifying both objectives and the means of such processing, these entities become controllers within the meaning of Article 4(7) of the GDPR.18
In terms of the Polish law regarding unsolicited commercial information, the rules of using electronic devices for marketing purposes became unclear. It is forbidden to send commercial information by means of electronic communication (including emails, text messages and internet communicators) without the user's consent.19 This prohibition is broadly interpreted: even a company logo or a marketing slogan used in an electronic signature may be treated as commercial information. Moreover, this prohibition relates not only to sending emails to private persons, but also to individuals who represent companies. There is also one more prohibition on the use of telecommunication devices or automated calling systems for direct marketing.20 Under this law, companies cannot make phone calls or send emails or text messages with their offers without users' prior consent. As a result of these two types of prohibition, companies started asking users to grant consent to these two types of action, causing annoyance and lack of understanding on the part of the users.
Spamming may be punished under five different acts of Polish law (the Act on Provision of Services by Electronic Means, the Act on Combating Unfair Competition, the Act on Combating Unfair Market Practices, the Act on Competition and Consumer Protection and the Telecommunications Law) with a maximum financial penalty of up to 10 per cent of the previous year's turnover. In practice, spammers and cold callers are rarely punished for their actions.
The new rules on the use of electronic devices for marketing purposes are expected with the adoption of the EU ePrivacy Regulation.21
iv Specific regulatory areas
One of most difficult aspects of processing personal data under Polish law relates to the employer–employee relationship. It is common practice for employers to process as much data as possible about employees and candidate employees. However, Polish employment law limits the scope of data than can be processed in such cases. Article 22(1) of the Act of 26 June 1974 on the Labour Code22 – changed by the Act – provides a list of the data that an employer can request from an employee or candidate employee, including date of birth, education and employment records. Courts have confirmed that employers are not allowed to process data other than those specified in the Labour Code, even with the employee's consent, because of possible resulting imbalances between the employer and the employee.
The other interesting aspect regarding the processing of candidate employees' and employees' concerns background checks. In practice, the verification of candidates' past history is limited to the documents they present to the employer and to checking the references supplied (subject to certain conditions). In most parts of the private sector, it would be non-compliant to verify candidates' criminal records, with an exception for cases such as the employment of bodyguards.
IV INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION
As to the international data transfer, these issues are now regulated by the GDPR provisions.
For now there are no specific laws regulating this matter in Poland, however, it should be noted that the legislative works undertaken owing to the GDPR's entry into force are still not finished. Therefore, it cannot be excluded that such regulations will be introduced in Poland in the near future.
V COMPANY POLICIES AND PRACTICES
Under the Act, there are no requirements obliging the companies to adopt company policies in the meaning of specific documentation relating to personal data protection.
However, as to the company practices, the Act introduces a complex regulation of the matter of video surveillance in the workplace. It has to be highlighted that this issue had not been explicitly regulated in Polish law before and therefore it had been causing considerable uncertainty among Polish employers.
Pursuant to the relevant provisions of the Act, the employer is allowed to install video surveillance in case it is necessary to (1) ensure the safety of the employees; (2) protect property; (3) control the process of production; (4) protect the trade secrets, which disclosure might cause damage to the employer. However, in line with the purpose and storage limitation principles expressed in the GDPR, the employer is required to ensure that the registered image recordings shall be processed by the employer only for the purposes for which they were collected, for a period not exceeding three months, in case the video recording is not evidence in legal proceedings or the employer has not been informed that it may be evidence in such proceedings. The employer is limited also as to the location of the video surveillance, owing to the provision of the Act that states that to lawfully install the video surveillance in sanitary rooms, cloakrooms, canteens, smoking rooms or premises made available to trade union organisations, the employer shall ensure that such monitoring is necessary for the allowed purposes and that it does not violate either the dignity and other personal rights of the employee or the principles of freedom and independence of the trade unions.
The Act places strong emphasis on the information obligation in the context of video surveillance in the workplace, imposing on the employer an obligation to regulate the purposes, scope and the way of use of the surveillance in collective agreements with trade unions or in the internal workplace policies. If there is no collective agreement or the employer is not obliged to set workplace regulations, this information shall be included in a notice given to the employees. In each case every employee shall be provided in writing with the aforementioned information before he or she starts to carry out the work duties, and if the employee is already carrying out work duties – at least two weeks before the launch of the video surveillance. The employer is also obliged to indicate the monitored rooms and areas in a clear and visible manner, through the use of appropriate signs or acoustic signals, no later than one day before the launch of the video surveillance. The Act explicitly states that the aforementioned obligations are without prejudice to the information obligation deriving from the GDPR provisions.
The Polish legislator decided to regulate also the issue of email correspondence surveillance conducted by the employers, which – unlike video monitoring – is allowed to be undertaken for the purpose of exercising control over the working time and the potential off-duty activities of the employees, as the relevant provision states that it may be introduced when it is necessary 'to ensure the workflow enables full use of the working hours and proper use of work tools handed to the employee'. However, this kind of workplace surveillance is also facing some limits, as its conduct cannot infringe the privacy of correspondence and the personal rights of the employees. It should be noted, though, that the information obligations in case of email surveillance correspond to the obligations imposed on the employer in case of video surveillance.
It has to be noted that the sector-specific acts on data protection, whose aim is to adjust the regulations regarding different sectors of Polish economy to the GDPR requirements, are still being processed. Therefore, more specific regulations on company policies and practices are expected to be adopted in Poland in the near future.
VI DISCOVERY AND DISCLOSURE
As a general rule, for the purposes of criminal proceedings, courts and prosecutors may demand any information and documents that may be needed for proceedings, including documents that contain personal data. There are specific provisions of law that relate to revealing personal data for the purposes of criminal proceedings held by authorities from EU countries.23 Disclosing personal data to such authorities by Polish institution requires their initial verification as to accuracy and completeness. A disclosing institution may impose certain requirements on data receivers, such as removing or anonymising personal data after a certain time, limiting the scope of personal data processed or refraining from informing data subjects about their personal data processing.
Apart from courts and prosecutors, there are numerous other authorities and institutions that may request a disclosure of information, such as the Polish Police Force, the Internal Security Agency, the Polish Foreign Intelligence Agency, the Polish Border Guard, the Military Intelligence and Military Counter-Intelligence Services, the Central Anti-Corruption Bureau and the Polish Military Police.
VII PUBLIC AND PRIVATE ENFORCEMENT
i Enforcement agencies
The Act indicates explicitly that the PUODO is the body responsible in Poland for data protection issues and that it is the Polish supervisory authority in the meaning of the GDPR.
The Act defines the scope of competence of PUODO, which involves among others (1) conducting proceedings on infringements of data protection laws and imposing administrative fines according to the relevant GDPR provisions, and (2) monitoring of compliance with the data protection laws. These tasks, consistent with the GDPR provisions, are thoroughly described in the Act, with relevant references to Polish applicable laws.
As to the proceedings on infringements of data protection laws, the Act indicates the manner, in which the Polish general administrative procedure shall be applied, taking into account the specificity of the data protection cases. The Act establishes also the procedure applicable to the monitoring of compliance conducted by PUODO, which may be conducted in particular in the form of inspection. An inspection can be performed only under numerous restrictions, which were imposed by the Polish legislator in order to assure the participation of the controlled entity or person and the transparency of the activities undertaken during a inspection. The scope of control is also limited as to its timeframe, locations subject to control and types of evidence that may be considered during a control.
It has to be highlighted that pursuant to the Act, unlawful or unauthorised processing of personal data constitutes a criminal offence, which may be prosecuted by the prosecutor and is punishable by a fine, restriction of liberty or imprisonment of up to two years. However, in case the personal data involved belongs to the special categories of data as understood in the Article 9 of the GDPR, the possible restriction of liberty or imprisonment sanction is increased to a maximum of three years. The Act establishes also criminal responsibility for frustrating or impeding an inspection regarding the compliance with data protection laws, and therefore such actions are penalised with a fine, restriction of liberty or imprisonment for up to two years.
ii Recent enforcement cases
As to the enforcement cases issued in 2018, there was an interesting case, in which the then Polish supervisory authority, GIODO, was considering the scope of the obligation to delete personal data from backups. Finally, it determined that erasure of data requires also erasure of all backups. However, it was noted that as backups are useful only provided their integrity is maintained, in practice difficulties may arise when a backup contains data that is supposed to be deleted, as well as some other data, that is being lawfully processed. In such case, the need to consider the interests of an individual whose data shall be deleted and of other persons who shall be granted access to their data is uppermost. It should be noted that this issue is now explicitly regulated in the GDPR as to the processing activities conducted by a processor, which is required to delete all existing copies after the end of the provision of services relating to processing.
Another case concerned a company that sent notifications to their customers titled 'Important information regarding actualisation of your personal data', a few months before the GDPR started to be directly applicable. The notifications attracted the attention of the Polish supervisory authority, as the customers where requested not only to give their consent to processing of their data, but also to give their consent to online marketing and telemarketing, as well as to agree to make their personal data available for marketing purposes to the company's business partners. What was crucial in the case was the fact that the notification included a request to tick all six checkboxes and provide the company with the actual contact data, as they stated that the company 'is obliged to update them due to the new regulations'. A decision has not been issued in this case yet, however, in the light of the GDPR provisions, according to opinions expressed by the experts, it is probable that such consent to processing should not be perceived as freely given.
iii Private litigation
Private litigation in relation to privacy and personal data does not have much of a profile in Poland and case law is scarce in this field. Last year saw very limited proceedings related to infringement of privacy based on civil law and the right to dignity. One of the courts ordered, for example, that installing a CCTV camera in front of a private apartment does not infringe a neighbour's right to privacy. As stated by the judge deciding the matter: 'The applicable legal system also grants everyone the personal right to live in their apartment (home), free from disturbances and unrest, and the right to protect their property. These goods are subject to the same protection as the right to privacy.'24
VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS
It has to be noted that owing to the GDPR being directly applicable, foreign organisations do not have to be too concerned with complying with Polish regulations, since data protection law has been unified in the majority of aspects.
However, the provisions of the recently adopted Act have to be taken into account, especially with regard to above-mentioned video surveillance in the workplace. There are also some other regulations that shall be considered, for example, the Polish Labour Code, which explicitly indicates the scope of data that may be requested by an employer in relation to the employment, as well as the scope of data that may be requested in the recruitment process. Therefore, all data processed in relation to the employment and recruitment processes that exceed the aforesaid remits shall be processed on the basis of the data subject's consent. It has to be highlighted also that according to the applicable laws, all data protection documentation must be kept in Polish.
IX CYBERSECURITY AND DATA BREACHES
On 5 July 2018, the Act on the National Cybersecurity System implementing the NIS Directive into the Polish legal framework was voted on by the legislative bodies and on 1 September 2018 it was signed by the President of Poland and is now binding.
The purpose of the Act is in particular to organise the national cybersecurity system and to indicate tasks and duties of the entities included in this cybersecurity system. The system imposes different obligations on the entities providing essential services, digital services providers, public entities a well as CSIRT MON, CSIRT NASK and CSIRT GOV. However, not all business entities are subject to the new law. Essential services operators are entities based in Poland, to whom the decision was issued recognising them as an essential service operator and those which belong to the sector and subsector indicated in Appendix 1 of the Act on the National Cybersecurity System. Appendix 1 indicates, among others, entities from the energy sector, transport providers, entities providing banking services or healthcare services. The operators' task is to recognise, secure and remedy incidents that could carry risk. For the purpose of prevention, the operator collects all possible information about cybersecurity threats and in consequence applies preventive measures limiting incidents on cybersecurity.
The operator is obliged to appoint an appropriate contact person for communication with entities of the national cybersecurity system. It is necessary for essential services operators to conduct an audit of the security of the IT systems used to provide the services – at least once every two years.
The digital service provider is a legal person or an organisational unit without legal personality, having its registered office or management on the territory of Poland or a representative with an organisational unit in Poland that provides digital services. Exceptions to the above are microentrepreneurs and small entrepreneurs. Digital services – in accordance with Appendix 2 of the Act on the National Cybersecurity System – are online trading platforms, cloud-based service providers and internet search engines. The obligations of digital service providers are narrower than the obligations of key service operators.
In the scope of cybersecurity services, the Act indicates the possibility to outsource services based on a contract.
ii Data breaches
The GDPR imposes a general obligation on the controllers regarding notifying data breaches to the relevant supervisory authorities. It also defines the elements that each notification has to include.
According to the Act, the PUODO may keep an IT system, by which the controllers shall be able to notify data breaches. The wording of the aforesaid provision suggests that keeping such system is optional and a controller is allowed to notify the supervisory authority also by traditional means. This conclusion was confirmed by a supervisory authority's officer, who nevertheless made it clear that notifying data breaches by electronic means is highly recommended.
Therefore, on the PUODO's website there is already an electronic form available, which is intended to be used while notifying a data breach, along with instructions for the controllers. It has to be stressed out that the scope of information required in the form is much broader than the scope of information determined in the GDPR.
For instance, regarding the nature of breach, the controller is required to provide information whether the breach is a data confidentiality breach, a data integrity breach, or a data accessibility breach, which the form briefly explains. The controller is obliged also to indicate what did the breach consist in, however, the form provides for some suggestions presented in a form of checkboxes. The form requires the controller to indicate whether the breach was caused by intentional or unintentional, internal or external action; as well as to provide additional description of the cause. The scope of information is broadened also in case of categories of data (owing to the requirement to classify them as e.g., 'identification data', 'economic data', 'official documents', etc). The form requires also from the controller providing detailed information as to the measures taken or proposed to address the data breach; in particular regarding the carried out or planned communication with data subjects, including the indication of the date and the means of the communication, number of data subjects, as well as providing the supervisory authority with the exact wording of the communication. The controller is also required to inform whether the breach has already been notified to foreign supervisory authorities and – if applicable – to indicate what kind of legal obligations were met by such notification.
As to the manner of notifying the data breach to the supervisory authority, it has to be mentioned that to settle official matters by electronic means in Poland, owning a trusted profile is necessary. A trusted profile is a free-of-charge method of confirming identity in electronic contacts with Polish administration. However, owing to the fact that obtaining a trusted profile requires going through a registration process, not all entrepreneurs use it. Nevertheless, owing to the approach adopted by PUODO, it can be assumed that the electronic procedure of notifying data breaches will enjoy wide popularity among the Polish entrepreneurs.
Businesses operating in Poland look forward to sector-specific acts implementing amendments of certain sector provisions regarding data protection to ensure compliance of the national legal framework with the GDPR, which, alongside the latter, will constitute the final and complex version of the package of legal acts implementing the GDPR. This covers key business sectors, such as banking, insurance, telecommunications and e-commerce. The GDPR is also a game-changer for the regulator itself, as it will face new, sometimes complicated, procedures. We can expect to see some uncertainty in the area of privacy law in the coming years, and from many perspectives.
At the same time, we are still awaiting general regulation of cybersecurity and implementation of the NIS Directive. Data breaches are also becoming more and more difficult to prevent, and the state and businesses should have proper tools to defend against criminal activity.
1 Anna Kobylańska and Marcin Lewoszewski are partners, and Maja Karczewska and Krzysztof Muciak are associates at Kobylańska Lewoszewski Mednis sp. j.
3 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union
5 Journal of Laws 2014, Item 121 with amendments.
6 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
9 Article 173, Section 1 of the Act of 16 July 2004 – Telecommunications Law.
10 Articles 209 and 210 of the Act of 16 July 2004 – Telecommunications Law.
12 Article 23, Section 1(1) of the Act on the Protection of Personal Data.
13 Article 23, Section 1(2) of the Act on the Protection of Personal Data.
14 Article 26, Section 1(3) of the Act on the Protection of Personal Data.
15 Article 26, Section 1(3) of the Act on the Protection of Personal Data.
16 Article 23, Section 1(4) of the Act on the Protection of Personal Data.
17 Article 36 of the Act on the Protection of Personal Data.
19 Article 10 Section 1 of the Act of 18 July 2002 on Provision of Services by Electronic Means.
20 Article 172 Section 1 of the Act of 16 July 2004 – Telecommunications Law.
21 Proposal for the Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing EU Directive 2002/58/EC (Regulation on Privacy and Electronic Communications).
22 Journal of Laws 2014, Item 1502.
23 Act of 16 September 2011 on Exchanging Information with Investigation Institutions from EU Countries.