When it comes to protection of privacy and personal data, Poland has followed the EU standards and laws for many years and, in addition to the entry into force of the Polish Act on Personal Data Protection (the Act) on 10 May 2018, the country prepared its legal framework for the introduction of the General Data Protection Regulation (GDPR). As a result, on 4 May 2019 the Derogation Act,2 which introduced changes to almost 170 Polish acts, entered into force. There is still some room for improvement (e.g., how fast data privacy matters are dealt with by the data protection authority), but it seems that this is not a Poland-specific issue.3
Data protection officers and experts are in high demand in both the public and private sectors. Several higher-education bodies offer postgraduate studies focused on data protection and there are privacy-related events organised on a daily basis. Public awareness of privacy is high and likely increasing, owing to the fact that the GDPR is directly applicable. The ePrivacy regulation is also likely to increase this awareness.
Apart from that, new legislation supplementing the Act on the National Cybersecurity System, which transposed the NIS Directive into the Polish legal framework, was enacted during the past year. From many perspectives, and for different reasons, privacy is currently a matter of common concern and is expected to be even more crucial in the near future.
II THE YEAR IN REVIEW
2019 was very busy for Poland from a privacy-law perspective due to regulatory actions of the supervisory authority, as well as its issuance of several guidelines related to the implementation of the GDPR.
The first GDPR-related enforcement action in Poland's history took place on 15 March 2019, when the Polish supervisory authority (PUODO) issued its decision on one of the data controllers. The decision was focused on transparency obligations and – as argued by the regulator – resulted from not fulfilling the information obligations based on Article 14, Sections 1 and 2 of the GDPR. The controller at hand processed more than 7.59 million records about individuals conducting business activity or representing the legal entities (e.g., members of the board). The data was collected from public registers, available to everyone. The controller argued that it may rely on the exemption from the information obligations as provided in Article 14, Section 5(b) – the disproportionate effort, related to the time and cost of providing all the data subjects with information notices. The PUODO, however, did not agree with this position and imposed a €220,000 fine. What is more, the PUODO ordered the controller to inform all the data subjects in line with Article 14 Sections 1 and 2 within three months of receiving the decision by the controller. The controller appealed to the court and it is now expected that the case should be decided by the court at the beginning of 2020.
At the same time, the PUODO issued several interesting guidelines. For example, one focused on Brexit and transferring personal data to the UK after it leaves the EU.4 The second describes the regulator's approach to data breaches.5 Further, the PUODO issued a list of cases where a data protection impact assessment (DPIA) is mandatory for data controllers.6
III REGULATORY FRAMEWORK
i Privacy and data protection legislation and standards
Privacy law has its roots in the Constitution of the Republic of Poland of 2 April 1997,7 in particular in Article 47, which guarantees the right of every citizen to a private life. This constitutional principle was further specified in Articles 23 and 24 of the Polish Civil Code,8 which protect the personal interests of natural persons.
Poland implemented EU Directive 95/46/EC9 by enacting the Act of 29 August 1997 on the Protection of Personal Data (the Act on the Protection of Personal Data).10 It was of a general nature and regulated the whole spectrum of processing of personal data by the entities, to which the Act on the Protection of Personal Data applied (including public bodies, associations, individual entrepreneurs and legal entities conducting businesses). The Act on the Protection of Personal Data (from 1997) is not binding from 25 May 2018, when the GDPR became fully effective.
Currently personal data protection is primarily governed by the GDPR. Nevertheless, there was a need to enact local law in order to adjust the Polish legal system to the requirements envisaged in the GDPR. The Act,11 covering mostly institutional and organisational matters, such as the functioning of the PUODO and the rules of procedure in case of infringement of personal data protection laws, was adopted on 10 May 2018.
It shall be noted that many Polish sector-specific regulations contain provisions regulating personal data protection issues, such as in the laws governing banking, insurance, telecommunications, health and e-commerce. These sector-specific regulations also needed to be amended to the extent necessary to ensure that they are fully compliant with the GDPR. The Derogation Act, which introduced changes to almost 170 Polish acts, entered into force on 4 May 2019.
The PUODO is quite active when it comes to enforcement actions and inspections. According to the PUODO's statement, it conducted more than 80 inspections under the GDPR and more than 4,500 data breaches were reported between 25 May 2018 and 25 May 2019.12
ii General obligations for data handlers
A controller, when processing personal data, must ensure:
- legal grounds for personal data processing;
- limitation of purposes for which personal data are processed;
- time limitation of personal data storage;
- relevancy, accuracy and adequacy of the personal data processed by the controller; and
- security of the personal data.
Legal grounds for personal data processing include, among others, consent of a data subject, necessity to exercise a contract with the data subject, necessity of exercising rights or duties arising from law, and legitimate interests. The controllers often ask data subjects to grant their consent but, in fact, all other legal grounds should also be taken into account. Consent of a data subject may be easily withdrawn (at any time after its granting), so it is always worth considering other legal grounds for personal data processing.
The controller is obliged to fulfil an information obligation to inform data subjects about their rights. This information is provided at the first moment the data is gathered by the controller. The information should include: identity and contact details of the controller or data protection officer, the purpose and legal basis of the data collection, data recipients or categories of data recipient, possible transfer of personal data, storage period, whether the provision of personal data is a statutory or contractual requirement, the existence of rights to request from the controller as well as the right to lodge a complaint and information on the existence of automated decision-making, including profiling. Even more categories of information have to be provided in a situation where the personal data are not collected directly from the data subject.
If the controller outsources areas of its business, including personal data processing, it is obliged to ensure the outsourced third party (called a processor) takes proper care of the data. For this reason, the controller is obliged to enter into a data-processing agreement with the processor. The data processing agreement should include a provision obliging the processor to process the data solely within the scope of, and for the purpose determined in, the contract as well as imposing an obligation on the processor to sufficiently guarantee implementation of appropriate technical and organisational measures.
In case of an obligation to designate a data protection officer, the controller notifies the PUODO of the data protection officer's appointment and provides contact details. The Act specifies that a person previously functioning as an information security administrator (under the Act on Personal Data Protection this was a similar position to a data protection officer) the date of application of the GDPR becomes by law the data protection officer. As a rule, the notification needs to be fulfilled within 14 days from date of designation.
The controller is obliged to secure the personal data against loss or unauthorised access. For this reason, the controller has to apply organisational and technical means appropriate for the type of risk. Controllers are obliged to specify what technical and organisational measures are appropriate for their organisation as neither GDPR legislation nor the Act defines step by step what safeguards to implement.
iii Data subject rights
Data subjects' rights are envisaged in the GDPR, such as the right to access (Article 15 of the GDPR), right to rectification (Article 16 of the GDPR), right to erasure (Article 17 of the GDPR), right to restriction of processing (Article 18 of the GDPR), right to data portability (Article 20 of the GDPR), right to object (Article 21 of the GDPR) and rights related to automated decision making and profiling (Article 22 of the GDPR) on the conditions determined therein.
According to Article 23 of the GDPR, the EU or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the rights and obligations provided for in, among others, Articles 15–22 of the GDPR. The Polish legislator decided to introduce such restrictions with regard to, for example, business information, by limiting the right to restriction of processing and excluding the right to object,13 as well as with regard to processing carried out for journalistic purposes, by excluding the right to access, right to rectification, right to restriction of processing, right to data portability, right to object and the rights related to automated decision making and profiling.14
There have not been any specific laws enacted on enforcement of data subjects' rights in Poland. Nevertheless, such laws may be introduced in the future.
iv Specific regulatory areas
One of the most challenging aspects of the processing of personal data in Poland relates to the employer–employee relationship. It used to be common practice of Polish employers to process as much data of employees and candidates as possible. After the GDPR became directly applicable, this area has been regulated by the Polish regulations implementing the GDPR into the legal system (i.e., the Act and the Derogation Act, which have introduced amendments to the Polish Labour Code).15
The Polish legislator decided to clarify doubts that have arisen among employers after the GDPR became fully effective and explicitly indicated the legal grounds for processing of employees' and candidates' personal data. The Polish Labour Code now contains a catalogue of personal data that shall be requested by the employer from employees or candidates (the catalogue is different for each category).16 In such cases, the personal data is processed on the basis of Article 6(1)(c) of the GDPR (legal obligation). Other categories of personal data, not included in the aforementioned catalogue, may be requested by the employer in case it is necessary to exercise a right or fulfil an obligation envisaged in applicable laws (e.g., background checks with regard to criminal records in case of public officials or regulated professions).17 Candidates and employees shall disclose their personal data to the employer by means of declaration; however, the employer may request them to provide relevant documentation, to the extent necessary for its confirmation.18
According to the Polish Labour Code, candidates' and employees' personal data may also be processed on the data subject's consent, on the basis of Article 6(1)(a) of the GDPR, except for categories specified in Polish Labour Code, which shall be processed on the basis of Article 6(1)(c) of the GDPR (legal obligation) and personal data referred to in Article 10 of the GDPR (personal data related to criminal convictions and offences).19 This encompasses both personal data disclosed by the candidate or employee on the employer's request and personal data shared on the initiative of the candidate or employee.20 As to the special categories of personal data referred to in Article 9(1) of the GDPR ('sensitive personal data'), the candidate's or employee's personal data may be processed only in case they are shared on the candidate's or employee's initiative.21 In line with the general requirements regarding consent envisaged in the GDPR, Polish Labour Code states that lack of consent or its withdrawal by the candidate or employee cannot constitute a ground for less favourable treatment of the candidate or employee nor can it result in any negative consequences for him or her, in particular it cannot constitute a reason for refusal to employ a candidate or to terminate an employment agreement with the employee.22
Although it has not been expressed in the Polish Labour Code, there is a general view that the explicit indication of the above-mentioned legal grounds for processing does not prohibit employers from relying on other legal grounds for processing, such as legitimate interest (Article 6(1)(f) of the GDPR), provided that the processing is fully compliant with the GDPR. Such conclusion has also been expressed in an explanatory memorandum issued by the Polish government.
The Polish Labour Code has also been amended by the Act on amending certain acts due to the reduction of the retention of employment records and their digitalisation,23 which came into force on 1 January 2019 and aimed to meet the needs of Polish companies facing advancing digitisation. This act has, in particular, reduced the retention period of employment records from 50 years to 10 years (though it may differ in specific cases) and allowed the employers to decide whether they want to keep the employment records in paper or in electronic form (prior to the changes the employers were obliged to keep the employment records in paper form at all times).
v Technological innovation
- the user should be informed of the purpose of storing and using the information, and about the possibility of configuring the browser or service settings to set rules regarding the use of the information about the user;
- the user, after receiving this information, consents to this use of his or her data; and
- the information stored on the user's computer does not cause a change in the settings of the user's computer device or software.
Non-compliance with the cookie law may result in a financial penalty of up to 3 per cent of the infringer's revenue from the previous year.25
In July 2017, GIODO (now PUODO) published a broad analysis of the impact of location tracking on privacy.26 The analysis covers both the Act and the GDPR.
According to the authority's stated view, data collected with reference to location tracking should be considered personal data. Therefore, the general rules for processing such data should be applied. The key principles applying to location tracking are the principles of legality,27 expediency,28 adequacy,29 substantive correctness,30 timeliness,31 and integrity and confidentiality.32 PUODO considers consent of the individual concerned to be the key legal basis for such processing.
As stated within the analysis, just as telecoms operators process a particular device's location using base stations, database owners with mapped wi-fi access points process personal data when calculating the location of a particular smart mobile device. By specifying both objectives and the means of such processing, these entities become controllers within the meaning of Article 4(7) of the GDPR.33
In terms of the Polish law regarding unsolicited commercial information, the rules of using electronic devices for marketing purposes remain unclear. It is forbidden to send commercial information by means of electronic communication (including emails, text messages and internet communicators) without the user's consent.34 This prohibition is broadly interpreted: even a company logo or a marketing slogan used in an electronic signature may be treated as commercial information. Moreover, this prohibition relates not only to sending emails to private persons, but also to individuals who represent companies. There is also a prohibition on the use of telecommunication devices or automated calling systems for direct marketing.35 Under this law, companies cannot make phone calls or send emails or text messages with their offers without users' prior consent. As a result of these two types of prohibition, companies started asking users to grant consent to these two types of action, which coupled with the requests for consent for processing of personal data required on the basis of the GDPR, cause annoyance and lack of understanding on the part of the users.
The Derogation Act amended the relevant, abovementioned laws, i.e. the Act on Provision of Services by Electronic Means and the Telecommunications Law. The most significant change deriving from these amendments is that currently the consent to receiving commercial information by electronic means and the consent to direct marketing performed by means of telecommunication devices or automated calling systems shall fulfil the general requirements regarding consent provided in the GDPR.36
The Act on Provision of Services by Electronic Means explicitly states that online service providers may process customer's personal data, which is not necessary for the provision of the services, on the basis of customer's consent. The Polish legislator has also indicated the purposes for which such data may be processed – marketing, market research, investigation of customers' behaviour and preferences (provided that the results of the latter would be used for improving the quality of the services).37 It is not clear whether this provision prohibits the marketers, while processing customers' data for the aforesaid purposes, from relying on other legal basis, such as legitimate interest (Article 6(1)(f) of the GDPR).
The above-mentioned provisions are intended to limit spamming. Spamming may be punished under five different acts of Polish law (the Act on Provision of Services by Electronic Means, the Act on Combating Unfair Competition, the Act on Combating Unfair Market Practices, the Act on Competition and Consumer Protection and the Telecommunications Law) with a maximum financial penalty of up to 10 per cent of the previous year's turnover. In practice, spammers and cold callers are rarely punished for their actions.
The new rules on the use of electronic devices for marketing purposes are expected with the adoption of the EU ePrivacy Regulation.
III INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION
As to the international data transfer, these issues are now regulated by the GDPR provisions.
For now there are no specific laws regulating the matter of data transfer safeguards in Poland, when applicable, for the purpose of transferring personal data. Businesses operating in Poland often decide to implement standard contractual clauses or binding corporate rules, as well as some of them are a part of Privacy Shield Programme.
However, it should be noted that data transfer itself may be subject to restrictions arising from national legislation, depending on the specific area in which the company is operating. Such restrictions arise for example from banking law, where approval of the Polish Financial Supervision Authority is required when banking activities are outsourced to an entity having its registered office outside the European Economic Area.38
IV COMPANY POLICIES AND PRACTICES
i Non-mandatory character
ii Employee monitoring policies
The Act introduces a complex regulation of the matter of video surveillance in the workplace. It has to be highlighted that this issue had not been explicitly regulated in Polish law before and therefore it had been causing considerable uncertainty among Polish employers.
Pursuant to the relevant provisions of the Act, the employer is allowed to install video surveillance in case it is necessary to (1) ensure the safety of the employees; (2) protect property; (3) control the process of production; or (4) protect the trade secrets, which disclosure might cause damage to the employer.39 However, in line with the purpose and storage limitation principles expressed in the GDPR, the employer is required to ensure that the registered image recordings shall be processed by the employer only for the purposes for which they were collected, for a period not exceeding three months, in case the video recording is not evidence in legal proceedings or the employer has not been informed that it may be evidence in such proceedings.40 The employer is limited also as to the location of the video surveillance, owing to the provision of the Act that states that to lawfully install the video surveillance in sanitary rooms, cloakrooms, canteens, smoking rooms, the employer shall ensure that such monitoring is necessary for the allowed purposes and that it does not violate either the dignity and other personal rights of the employee or the principles of freedom and independence of the trade unions.41
The Act places strong emphasis on the information obligation in the context of video surveillance in the workplace, imposing on the employer an obligation to regulate the purposes, scope and the way of use of the surveillance in collective agreements with trade unions or in the internal workplace policies. If there is no collective agreement or the employer is not obliged to set workplace regulations, this information shall be included in a notice given to the employees. In each case every employee shall be provided in writing with the aforementioned information before he or she starts to carry out the work duties, and if the employee is already carrying out work duties – at least two weeks before the launch of the video surveillance. The employer is also obliged to indicate the monitored rooms and areas in a clear and visible manner, through the use of appropriate signs or acoustic signals, no later than one day before the launch of the video surveillance. The Act explicitly states that the aforementioned obligations are without prejudice to the information obligation deriving from the GDPR provisions.42
The Polish legislator decided to regulate also the issue of email correspondence surveillance conducted by the employers,43 which – unlike video monitoring – is allowed to be undertaken for the purpose of exercising control over the working time and the potential off-duty activities of the employees, as the relevant provision states that it may be introduced when it is necessary 'to ensure the workflow enables full use of the working hours and proper use of work tools handed to the employee'. However, this kind of workplace surveillance is also facing some limits, as its conduct cannot infringe the privacy of correspondence and the personal rights of the employees. It should be noted, though, that the information obligations in case of email surveillance correspond to the obligations imposed on the employer in case of video surveillance.
V DISCOVERY AND DISCLOSURE
As a general rule, for the purposes of criminal proceedings, courts and prosecutors may demand any information and documents that may be needed for proceedings, including documents that contain personal data. There are specific provisions of law that relate to revealing personal data for the purposes of criminal proceedings held by authorities from EU countries.44 Disclosing personal data to such authorities by Polish institution requires their initial verification as to accuracy and completeness. A disclosing institution may impose certain requirements on data receivers, such as removing personal data after a certain time or limiting the scope of personal data processed.
Apart from courts and prosecutors, there are numerous other authorities and institutions that may request a disclosure of information, such as the Polish Police Force, the Internal Security Agency, the Polish Border Guard, the Central Anti-Corruption Bureau and the Polish Military Police.
VI PUBLIC AND PRIVATE ENFORCEMENT
i Enforcement agencies
The Act indicates explicitly that the PUODO is the body responsible in Poland for data protection issues and that it is the Polish supervisory authority in the meaning of the GDPR.
The Act defines the scope of competence of PUODO, which involves among others (1) conducting proceedings on infringements of data protection laws and imposing administrative fines according to the relevant GDPR provisions, and (2) monitoring of compliance with the data protection laws. These tasks, consistent with the GDPR provisions, are thoroughly described in the Act, with relevant references to Polish applicable laws.
As to the proceedings on infringements of data protection laws, the Act indicates the manner, in which the Polish general administrative procedure shall be applied, taking into account the specificity of the data protection cases. The Act establishes also the procedure applicable to the monitoring of compliance conducted by PUODO, which may be conducted in particular in the form of inspection. An inspection can be performed only under numerous restrictions, which were imposed by the Polish legislator in order to assure the participation of the controlled entity or person and the transparency of the activities undertaken during an inspection. The scope of control is also limited as to its time frame, locations subject to control and types of evidence that may be considered during a control.
It has to be highlighted that pursuant to the Act, unlawful or unauthorised processing of personal data constitutes a criminal offence, which may be prosecuted by the prosecutor and is punishable by a fine, restriction of liberty or imprisonment of up to two years. However, in case the personal data involved belongs to the special categories of data as understood in the Article 9 of the GDPR, the possible restriction of liberty or imprisonment sanction is increased to a maximum of three years. The Act establishes also criminal responsibility for frustrating or impeding an inspection regarding the compliance with data protection laws, and therefore such actions are penalised with a fine, restriction of liberty or imprisonment for up to two years.
ii Recent enforcement cases
The first fine of 943,470 zlotys for the infringement of the Article 14(1)–(3) of the GDPR was imposed due to the failure to inform data subjects about processing of their personal data.
The fined company processes personal data obtained from publicly available sources, including public registers, for commercial purposes. In its databases, there were over 7 million records of natural persons, including personal data of individual entrepreneurs, shareholders or members of relevant bodies of legal persons. When fulfilling obligations arising from the GDPR, the company provided the privacy notice to those data subjects, whose email addresses were publicly accessible in its database (as it is possible to conceal e-mail addresses and less than 1 million of the data subjects opted to have it accessible and others also provided phone numbers), but did not provide privacy notices via post for all other data subjects. In the company's opinion, fulfilling this obligation would have resulted in disproportionate effort and would have entailed an amount equal to the annual turnover for FY 2018. Thus, the company decided to publish the full version of the privacy notice on its website.
The PUODO found that this action was insufficient – while having other contact data (postal addresses and telephone numbers) for some of the data subjects, the controller should have fulfilled the obligations arising from Article 14 of the GDPR toward entrepreneurs currently conducting business activity or those who conducted such activity in the past, as well as toward entrepreneurs who suspended it.
When imposing the fine, in its announcement, the PUODO emphasised that the amount of the fine was caused by the fact that the infringement of the controller was intentional – the company was aware of the obligation to provide data subjects with the relevant information, as well as the need to inform them directly. The PUODO indicated also that it took into account the fact that the controller did not take any action that would eliminate the infringement, nor did it declare such intention.
The second fine of 55,750.50 zlotys for the infringement of Article 5(1)(f), Article 32 (1)(b) and Article 32(2) of the GDPR was imposed for failure to ensure the security and confidentiality of processed data.
One of the Polish football associations made public on its website the personal data of football referees to whom licences had been granted. Apart from personal data such as their names, residence addresses and personal identification numbers were also published. The infringement affected 585 natural persons, was notified to the PUODO by the association and finally eliminated. However, as the PUODO indicated in its announcement, the controller took limited actions to eliminate the infringement, outsourced it to an external entity and did not verify the final result. This fact was decisive in the matter of imposing the fine on the association.
PUODO emphasised also that when deciding on the amount of the fine, the duration of the infringement and the number of people affected were taken into account, which in its opinion was large. However, the fact that there was no evidence on damage suffered by the data subjects affected and the association cooperated with the PUODO in the course of proceeding were mitigating factors.
iii Private litigation
Private litigation in relation to privacy and personal data does not have much of a profile in Poland and case law is scarce in this field. Last year saw one interesting case concerning smog and the overall air quality; the government was successfully sued based on the infringement of privacy and moral rights. The claimant argued that the government was obliged to take necessary steps to improve the quality of the air, and that by not doing so it invaded the citizen's private life and caused personal injury.45
VII CONSIDERATIONS FOR FOREIGN ORGANISATIONS
It has to be noted that owing to the GDPR being directly applicable, foreign organisations do not have to be too concerned with complying with Polish regulations, since data protection law has been unified in the majority of aspects.
However, the provisions of the recently adopted Act have to be taken into account, especially with regard to above-mentioned video surveillance in the workplace. There are also some other regulations that shall be considered, for example, the Polish Labour Code, which explicitly indicates the scope of data that may be requested by an employer in relation to the employment, as well as the scope of data that may be requested in the recruitment process. Therefore, all data processed in relation to the employment and recruitment processes that exceed the aforesaid remits shall be processed on the basis of the data subject's consent. It has to be highlighted also that according to the applicable laws, all data protection documentation must be kept in Polish.
In regard to data transfer matters, foreign organisations shall take into account above-mentioned considerations on restrictions of international data transfer.
VIII CYBERSECURITY AND DATA BREACHES
On 5 July 2018, the Act on the National Cybersecurity System implementing the NIS Directive into the Polish legal framework was voted on by the legislative bodies and on 1 August 2018 it was signed by the President of Poland and is now binding.
The purpose of this act is in particular to organise the national cybersecurity system and to indicate tasks and duties of the entities included in the Polish cybersecurity system. The system imposes different obligations on the operators of essential services, digital service providers, public entities a well as CSIRT MON, CSIRT NASK and CSIRT GOV. However, not all business entities are subject to the new regulation. Operators of essential services are entities, to whom the decision on recognising them as an operator of essential services was issued and those which belong to the sector and subsector indicated in Appendix 1 to the Act on the National Cybersecurity System. Appendix 1 indicates, among others, entities from the energy sector, transport service providers, entities providing banking services or healthcare services. The list of essential services was further specified in an executive regulation issued by the Council of Ministers.46 The operators are obliged to recognise, register, analyse and take measures to remedy incidents that could endanger the cybersecurity. For the purpose of prevention, they shall collect all possible information about cybersecurity threats and apply preventive measures limiting occurrence of incidents.
The operators of essential services are also obliged to designate a contact person responsible for communication with entities within the national cybersecurity system. Moreover, it is necessary for them to carry out an audit of the security of the IT systems used for the purpose of providing essential service – at least once every two years.
The category of digital service provider involves legal persons or organisational units without legal personality, having its registered office or management on the territory of Poland or representatives with an organisational unit in Poland that provide digital services. Exceptions to the above are microentrepreneurs and small entrepreneurs within the meaning of the Entrepreneurs' Law.47 Digital services – in accordance with Appendix 2 to the Act on the National Cybersecurity System – are online marketplace, cloud computing service and online search engine. The obligations of digital service providers are narrower than the obligations of operators of essential services.
Public entities that fall within the scope of the Act on the National Cybersecurity System are exhaustively listed in the act or specified in regulations on specific areas, such as public finance.
In the scope of their services, entities within the cybersecurity system have the possibility to outsource services based on a contract.
ii Data breaches
The GDPR imposes a general obligation on the controllers regarding notifying data breaches to the relevant supervisory authorities. It also defines the elements that each notification has to include.
According to the Act, the PUODO may maintain an IT system through which the controllers shall be able to notify data breaches, though notification by post is also allowed.48
Therefore, on the PUODO's website there is an electronic form available, which is intended to be used while notifying a data breach, along with instructions for the controllers. It should be stressed that the scope of information required in the form is much broader than the scope of information determined in the GDPR.
For instance, regarding the nature of breach, the controller is required to provide information whether the breach is a data confidentiality breach, a data integrity breach, or a data accessibility breach, which the form briefly explains. The controller is obliged also to indicate what did the breach consist in, however, the form provides for some suggestions presented in a form of check boxes. The form requires the controller to indicate whether the breach was caused by intentional or unintentional, internal or external action; as well as to provide additional description of the cause. The scope of information is broadened also in case of categories of data (owing to the requirement to classify them as e.g., 'identification data', 'economic data', 'official documents', etc). The form requires also from the controller providing detailed information as to the measures taken or proposed to address the data breach; in particular regarding the carried out or planned communication with data subjects, including the indication of the date and the means of the communication, number of data subjects, as well as providing the supervisory authority with the exact wording of the communication. The controller is also required to inform whether the breach has already been notified to foreign supervisory authorities and – if applicable – to indicate what kind of legal obligations were met by such notification.
As to the manner of notifying the data breach to the supervisory authority, to settle official matters by electronic means in Poland it is necessary to aquire a trusted profile or electronic signature supported by a qualified certificate is necessary.49 A trusted profile is a free-of-charge method of confirming identity in electronic contacts with Polish administration and some banks synchronised their systems to allow identification for the profile via online banking profiles. It can therefore be assumed that the electronic procedure of notifying data breaches will enjoy wide popularity among Polish entrepreneurs.
Businesses in Poland are waiting for the next guidelines from the regulator – in particular related to the execution of data subjects' rights. Some should also be issued by the Ministry of Digital Affairs, as several expert working groups created by the Ministry have been preparing GDPR white papers. Business will likely see further enforcement actions, in particular in relation to data breaches, which are quite common. It seems that the market expects strong messages from the regulator in this field – significant fines are therefore inevitable.
What is interesting is that few sectors expect their codes of conduct to be accepted by the PUODO. This includes the banking, internet advertising and healthcare sectors that are now working on the draft codes.
Further, we will see what impact Brexit will have on transferring personal data to the UK, as well as whether the EU Model Clauses and Privacy Shield will remain in force after the Schrems 2.0 case.
1 Anna Kobylańska and Marcin Lewoszewski are partners, and Aleksandra Czarnecka and Karolina Gałęzowska are associates at Kobylańska Lewoszewski Mednis Sp. J.. The authors wish to thank Maja Karczewska, a former associate, who co-authored the chapter.
2 The Act of 21 February 2019 on amending certain acts in order to ensure enforcement of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
8 The Act of 13 April 1964 – Civil Code.
9 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31995L0046).
11 The Act of 10 May 2018 on the Protection of Personal Data.
13 Article 3 of the Act of 9 April 2010 on sharing business information and exchange of business information.
14 Article 2, Section 1 of the Act on the Protection of Personal Data.
15 The Act of 26 June 1974 - Labour Code.
16 Article 22(1), Section 1 and 3 of the Act of 26 June 1974 - Labour Code.
17 Article 22(1), Section 4 of the Act of 26 June 1974 - Labour Code.
18 Article 22(1), Section 5 of the Act of 26 June 1974 - Labour Code.
19 Article 22(1a), Section 1 of the Act of 26 June 1974 - Labour Code.
20 Article 22(1a), Section 3 of the Act of 26 June 1974 - Labour Code.
21 Article 22 (1b), Section 1 of the Act of 26 June 1974 - Labour Code.
22 Article 22(1a), Section 2 of the Act of 26 June 1974 - Labour Code.
23 The Act of 10 January 2018 on amending certain acts due to reduction of the retention of employment records and their digitalisation.
24 Article 173, Section 1 of the Act of 16 July 2004 – Telecommunications Law.
25 Articles 209 and 210 of the Act of 16 July 2004 – Telecommunications Law.
27 Article 23, Section 1(1) of the Act on the Protection of Personal Data.
28 Article 23, Section 1(2) of the Act on the Protection of Personal Data.
29 Article 26, Section 1(3) of the Act on the Protection of Personal Data.
30 Article 26, Section 1(3) of the Act on the Protection of Personal Data.
31 Article 23, Section 1(4) of the Act on the Protection of Personal Data.
32 Article 36 of the Act on the Protection of Personal Data.
34 Article 10 Section 1 of the Act of 18 July 2002 on Provision of Services by Electronic Means.
35 Article 172 Section 1 of the Act of 16 July 2004 – Telecommunications Law.
36 Article 4 of the Act of 18 July 2002 on Provision of Services by Electronic Means; Article 174 of the Act of 16 July 2004 – Telecommunications Law.
37 Article 18, Section 4 of the Act of 18 July 2002 on Provision of Services by Electronic Means.
38 Article 6d, Section 1 and Article 4, Section 3 of the Act of 29 August 1997 – Banking Act.
39 Article 22(2), Section 1 of the Act of 26 June 1974 - Labour Code.
40 Article 22(2), Section 3 and Section 4 of the Act of 26 June 1974 - Labour Code.
41 Article 22(2), Section 1(1) and Section 2 of the Act of 26 June 1974 - Labour Code.
42 Article 22(2), Section 6 – 10 of the Act of 26 June 1974 - Labour Code.
43 Article 22(3) of the Act of 26 June 1974 - Labour Code.
44 Act of 16 September 2011 on Exchanging Information with the Law Enforcement Authorities of the EU Member States, Third States, Agencies of the EU and International Organisations.
45 Press publication available at: https://www.rp.pl/Dobra-osobiste/301249966-Sad-smog-narusza-dobra-osobiste-Wyrok-z-powodztwa-aktorki-Grazyny-Wolszczak.html (only Polish version).
46 Regulation of the Council of Ministers on the list of essential services and thresholds on the significance of a disruptive effect of incident on the provision of essential services as of 11 September 2018.
47 Act of 6 March 2018 r. - Entrepreneurs' law.