The e-Discovery and Information Governance Law Review: Poland
In general, Poland has not adopted the concept of e-discovery as it is understood in common law jurisdictions such as the United States. However, collecting and using evidence for civil or criminal proceedings is regulated in detail under Polish law. The case law related to evidence as such is also broad and has a long history.
There are some provisions of Polish law that relate to the use of electronically stored information (ESI), as detailed in Section II.
In addition, practitioners have a well-established view in relation to collecting and using electronic evidence from the perspective of privacy regulations. These regulations are the main concern for businesses when it comes to, for example, investigations connected to employment matters.
Year in review
Amendments to the Code of Civil Procedure (CCP) and the Civil Code came into force in 2016 that specified that electronic documents are explicitly allowed as evidence in civil proceedings, and in many cases this evidence may be of even greater importance than standard, physical evidence. The amendments take into account the development of electronic means of information exchange and introduce a broad definition of a document, which breaks with the traditional understanding of this concept as information recorded only in the form of a letter bearing a signature.
Along with the amendment of the Civil Code, new specific forms of legal acts were introduced (i.e., a document form and an electronic form). It is particularly important that in respect of the provision of a written document or electronic form without the clause of invalidity, if the provided form is not preserved, evidence from witnesses' testimony or hearing the parties on the execution of the action is not admissible in a dispute.
According to Article 77(3) of the Civil Code, a document is an information carrier enabling its content to be read. This definition breaks with the common understanding of a document recorded on paper. Thus, a document will also include images, sounds, emails, SMS messages, scans, faxes or computer files.
This is functionally complemented by the rules of civil procedure, where, according to Article 243(1) of the CCP, to classify a material as a document, the issuer of the document must be identifiable (by means of a signature or other identifying mark). The courts must assess whether a document requires a signature to determine whether the rules on document evidence apply.2 If the issuer cannot be identified, the evidence will be classified as other evidence, as defined in Article 309 of the CCP.
The rules applying to electronic documents as evidence generally do not differ from the general provisions on evidence. However, pursuant to Article 254, Section 2(1), an issuer of an electronic document may, when necessary, be requested by the court to provide it with the data carrier on which the document is stored. Section 2(2) provides an exception to the obligation to present a data carrier for certain categories of witnesses who would be legally allowed to refuse to answer a question regarding the source of the electronic document; for example, whether it was created on the data carrier or uploaded there by the witness (this relates, in particular, to family members, who may refuse to testify in a relative's case).
The aforementioned other evidence has the same probative value as other types of evidence. The courts have expressly determined, among other things, that a print screen or an email3 that does not contain a signature4 shall be treated by the courts as other evidence. It was admitted that computer printouts may be used for determining certain facts of a case: however, they can prove no more than that a particular computer record existed at the moment of producing the printout.5 Nonetheless, this does not prevent parties to proceedings from presenting other materials as evidence, if it helps them prove their case. More judgments that refer to new kinds of electronic evidence are expected.
Concerning evidence in civil proceedings, amendments to the CCP came into force in 2019. In general, they did not affect the above-mentioned provisions of law; rather, they introduced detailed changes to the rules of proceedings, including a rule that documents on the file constitute evidence and no separate court arrangement is required in this regard.
The admissibility of electronic evidence is not questioned in criminal proceedings. There is no legal definition of evidence in the Code of Criminal Procedure. This term is mainly understood in legal literature as any means, permitted by law, relevant to the determination of the issues in the case.
The Code of Criminal Procedure does not provide definitions of electronic document or electronic evidence, which could be further developed in the courts' decisions. In Polish legal literature, some classifications of electronic evidence used in criminal proceedings are being created and developed. At present, electronic documents or electronic evidence are included in the general Article 115, Section 14 of the Criminal Code defining a document as any object or other recorded information carrier to which a specific right is attached or which, because of its contents, constitutes evidence of a right, legal relationship or circumstance of legal significance. However, the principle of free assessment of evidence applies to criminal law, as it does to civil law; therefore, these classifications will mostly be theoretical.
The Supreme Court has stated that it is not necessary for an object to fall within the above-mentioned definition of a document to be treated as document evidence in criminal proceedings.6
There are no specific rules for collecting electronic evidence. At the time of writing, there have been no announced changes to policy or legislation regarding electronic evidence in civil or criminal proceedings.
Control and preservation
Polish law does not provide for e-discovery obligations related to the preservation of ESI. There are provisions of law that relate to destroying or hiding evidence that are necessary for legal proceedings that apply to all types of evidence.
Under the Code of Criminal Procedure, any user of a device containing digital data or a computer system in which data is stored, including correspondence sent via email, is obliged to hand it over to a court or prosecutor, or – in urgent cases – at the request of the police or other authority (if the data constitutes evidence in a given case). If an individual does not voluntarily hand over evidence, the evidence can be taken by the appropriate authority by force. To detect or seize electronic data that may constitute evidence, relevant authorities (including the police) can search premises and other places where there are reasonable grounds to believe that the data could be.
Offices, institutions and companies conducting telecommunications activities must secure, at the request of a court or the Public Prosecutor, for a period not exceeding 90 days, digital data stored on their devices (including data on storage media and in computer systems). They must secure the data in a way that prevents it from being deleted and enables it to be easily handed over at the request of a court.
Any person who hinders or prevents criminal proceedings by concealing, destroying or distorting evidence (including destroying digital data) may be subject to criminal sanctions, including up to five years' imprisonment. Destruction of evidence covers any act that prevents judicial authorities from discovering a crime or proving that the perpetrator is at fault.
Requests and scope
The law does not specify that parties must meet and confer in the context of disclosure of ESI. There are provisions of law that relate to an obligation to produce evidence to a court in civil proceedings that apply to all types of evidence.
Under the CCP, parties must produce evidence to establish facts to successfully argue their case. In this procedure, all parties may be obliged to submit, by order of the court, on a specified date and in a specified place, the data in their possession that constitutes evidence of a fact relevant to the resolution of the dispute. There are no sanctions if a party refuses to produce the evidence requested, but the court may take this as an indication that the evidence contradicts the party's statement and may, therefore, support the opposing party's statement.
If a court requests a third party to produce evidence and it refuses to do so without legitimate grounds, it may be subject to a fine. If the third party complies with the court's request, it has the right to demand reimbursement of expenses connected with producing the evidence.
Review and production
Relatively recently, Poland has begun to acknowledge the use of digital sources of information in statutes, such as the CCP and the Code of Criminal Procedure. Consequently, civil and criminal proceedings still tend to focus on traditional sources of evidence, such as paper documents, witness testimony and, in criminal cases, materials gathered by law enforcement authorities (the police and the Public Prosecutor) during operational activities, including lawful searches and interception of communications.
The limited regulation on the use of ESI covers the collection of ESI by law enforcement authorities during criminal proceedings, the obligation of parties to produce ESI as evidence and the method of assessing ESI in civil proceedings.
According to Article 218a of the Code of Criminal Procedure, offices, institutions and companies conducting telecommunications activity are obliged, upon the request of the court or the Public Prosecutor in the form of a written decision, to immediately secure, for a period not exceeding 90 days, electronic data stored on data storage devices (e.g., hard drives) or in IT systems.
The Code of Criminal Procedure also provides that the holder and user of a device containing electronic data or an IT system has to acquiesce to a lawful search conducted by a competent authority with regard to the data stored on this device or in this system, or on a data storage device in their possession or use, including email correspondence.
A search is lawful under criminal law if there are justified grounds for believing that specified objects that might constitute evidence in a case or are subject to seizure in criminal proceedings (e.g., electronic files) may be found on the premises (Article 219, Section 1). Objects that may serve as evidence or are subject to seizure to secure financial penalties, penal measures of a financial nature, forfeiture, compensatory measures or claims for compensation for damage should be surrendered at the request of the court, the Public Prosecutor or, in urgent cases, the police or another authorised agency (Article 217, Section 1).
The holder of an object subject to seizure is called upon to surrender it voluntarily (Article 217, Section 2). However, if the holder refuses, the object may be seized by force, provided appropriate procedures are followed; for example, the holder should be properly informed about the legal basis for the seizure, and a formal written protocol from the seizure should be drawn up (Article 217, Section 5).
A search may be conducted by the Public Prosecutor, acting upon an order of a court, or by the police, acting upon an order of a court or the Public Prosecutor, or, in cases specified by the law, by another agency (Article 220, Section 1). A person whose premises are to be searched should be presented with a warrant issued by a court or the Public Prosecutor (Article 220, Section 2). In urgent cases, the authorities may conduct a search without the appropriate order, but approval from the court or Public Prosecutor must be sought promptly afterwards.
If the person on whose premises an object was seized or a search was conducted declares that a document found or surrendered contains confidential information or information constituting a professional or other legally protected secret, or is of a private nature, the authority conducting the search should immediately, without reading it, hand the document over to the Public Prosecutor or to the court in a sealed envelope (Article 225 Section 1).
The procedure does not apply to correspondence or other documents containing information classified as privileged or confidential, or information constituting a professional or other legally protected secret, if the holder is suspected of having committed an offence. It also does not apply to letters or other documents of a personal nature if the person suspected of having committed an offence is the holder, author or addressee (Article 225, Section 2).
Similarly, if the defence counsel declares that correspondence or other documents surrendered or found in the course of a search contain information pertaining to the performance of his or her function, the authority conducting the search must leave the documents with him or her without familiarising himself or herself with their contents or appearance. However, if this statement is made by a person who is not a defence counsel, but is in possession of documents of that nature, the law requires the agency conducting the procedure to hand the documents over to the court, without reading them, in a sealed envelope.
If the documents are seized, the court, having acquainted itself with their contents, must return them in their entirety or in part to the person from whom they were taken or must issue a decision that the documents be retained for the purposes of the proceedings (Article 225, Section 3).
The Code of Criminal Procedure also provides for general rules regarding interception of electronic communications. The rules that apply to the surveillance of telephone conversations also apply to the surveillance and recording by technical means of the content of other conversations or messages, including email correspondence (Article 241).
After the commencement of proceedings, the court, at the request of the Public Prosecutor, may order surveillance and recording of the content of telephone conversations by way of telephone tapping to gather evidence for proceedings in progress or to prevent the perpetration of a new offence.
In urgent cases, surveillance and telephone tapping may be ordered by the Public Prosecutor, who must request the approval of the court within three days. The court must issue its decision on this matter within five days at a closed hearing (without the participation of the parties). If the court does not approve the Public Prosecutor's order, any existing recordings must be destroyed. An appeal against the decision stays its execution.
Surveillance and telephone tapping are permissible with regard to:
- a person suspected of an offence;
- an accused person;
- an aggrieved person; and
- any other person whom the accused may contact or who may be connected with the accused or with the potential offence.
Offices and institutions conducting telecommunications activity, and telecommunications companies, are obliged to facilitate the execution of a court or Public Prosecutor's order concerning surveillance and telephone tapping and ensure that they register the surveillance.
With regard to civil procedure, the regulations are more general. In practice, any advanced analytical tools involved in the analysis, review and production of ESI are most likely to be used by expert witnesses requested by the court or parties to participate in the proceedings.
The Polish legal system is based on the idea that the courts are free in their assessment of the impact and admissibility of evidence presented during proceedings. As a consequence, no precise rules regarding the use of technology-assisted review or the manner in which ESI should be collected or secured have been adopted in the procedural codes of Polish law. The courts generally rely on the testimony of expert witnesses who – when summoned by the court – have to assess certain aspects of the evidence, as requested by the court.
In both civil and criminal proceedings, the party against whom electronic evidence is presented may challenge the evidence by raising arguments about its value, authenticity, admissibility or quality. In doing so, the party may also ask to consult an expert witness, which is the most reasonable way to have the evidence verified. Ultimately, it is up to the court to decide whether those arguments should prevail and if the evidence should be disqualified.
The law does not provide sanctions for failure to produce discoverable ESI or misuse of disclosed ESI. Only general rules apply, according to which, if so directed by the court, each party must produce, within a prescribed time limit and at a specified place, any document that is in its possession and that evidences a fact that is relevant to the case's determination, unless the document contains classified information (Article 248, Section 1). If a third party refuses to produce evidence, it will be fined by the court if it, or the parties, cannot justify the refusal (Article 251).
On 25 May 2018, the General Data Protection Regulation (GDPR) entered into force and became directly applicable in Poland and the other Member States of the European Union. The GDPR has a significant impact on the discovery and disclosure of ESI whenever this information (wholly or partly) relates to an identified or identifiable natural person. In those cases, the rules for processing personal data set out in the GDPR apply and must be observed by any person or entity that determines (alone or jointly with others) the purposes and means of the processing of personal data (i.e., the data controller).
A particularly significant issue related to personal data processing is the necessity to identify a valid legal basis for processing activities, such as storing (including in electronic form) and sharing (granting access to) personal data. In accordance with Article 6.1 of the GDPR, processing is lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child.
The defined catalogue of legal bases for personal data processing requires data controllers, with regard to discovery or disclosure of ESI comprising personal data, to search for and choose an applicable option. Generally, in court proceedings, points (c) and (f) are applicable.
Point (c) may be relied upon by a data controller if a specific provision of law requires a person or entity to disclose certain categories of personally identifiable information for a specific purpose. Under Polish law, an example of this is a list of required information to be included in admissible pleadings (Article 126 of the CCP). However, owing to the versatile nature of potential evidence in both criminal and civil cases, it seems unlikely that a provision of law will be sufficiently precise in respect of the scope and purpose of personal data to be disclosed for a controller to be able to rely upon it.
Consequently, point (f) must be considered by a controller wishing (or required to) disclose personal data or obtain it in the course of (or in relation to) legal proceedings. The existence of a legitimate interest of a controller (or a third party) must be assessed, taking into account various factors.
Recital 47 of the GDPR indicates that the legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. It specifies that the existence of a legitimate interest requires careful assessment, including of whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. Consequently, a controller – when collecting personal data – must be diligent when editing its data processing information clauses, required by the GDPR, and ensure that the potential disclosure of personal data within relevant proceedings is listed as a potential form of processing of an individual's data.
The Recital goes further to indicate that interests and fundamental rights of the data subject could override the interests of the data controller where personal data is processed in circumstances where data subjects do not reasonably expect further processing.
According to the GDPR, processing of personal data strictly necessary for the purposes of preventing fraud constitutes a legitimate interest of the data controller. In any case, a particular disclosure will require the controller to perform a legitimate interest assessment and, according to its outcome, disclose or refrain from disclosing the data, at least in a form that identifies the data subject.
Should a controller decide to anonymise the data it is submitting in proceedings, the information could be dismissed by the court as altered and not admissible as evidence.
The GDPR includes a separate list of circumstances allowing for lawful processing of certain categories of personal data, including data on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometrics (for the purpose of uniquely identifying a natural person), health and a natural person's sex life or sexual orientation. One admissible circumstance is when processing is necessary for the establishment, exercise or defence of legal claims (Article 9.2(f)).
As an EU regulation, the GDPR does not restrict transfers of data within the European Union. However, transferring personal data outside the European Union (or, more specifically, the European Economic Area) is restricted, unless specific conditions are met. The conditions depend on the level of risk posed by different circumstances accompanying a given transfer; therefore, a transfer of personal data to a third country or an international organisation may take place if the European Commission (the Commission) decides that the third country, or a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. This type of transfer does not require specific authorisation (Article 45 of the GDPR).
In the absence of an adequacy decision from the Commission, a controller may transfer personal data to a third country or an international organisation only if it has provided appropriate safeguards and enforceable data subject rights and effective legal remedies for data subjects are available (Article 46.1). The appropriate safeguards may constitute:
- a legally binding and enforceable instrument between public authorities or bodies;
- binding corporate rules (within a group of companies);
- standard data protection clauses adopted by the Commission in accordance with the examination procedure;
- standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure;
- an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including in respect of data subjects' rights; or
- an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.
If there is no valid adequacy decision from the Commission, nor any appropriate safeguards in place, a transfer or a set of transfers of personal data to a third country or an international organisation can take place only under strict conditions, one of which is that the transfer is necessary for the establishment, exercise or defence of legal claims (Article 49.1(e) of the GDPR). This requisite must be sufficiently justified and documented by the transferor.
According to Article 48 of the GDPR, any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the European Union or a Member State, without prejudice to the other admissible grounds for transfer described above.7
Outlook and conclusions
Providers of e-discovery services in relation to pre-litigation and litigation matters are common in Poland. Demand for those services is continuously growing; thus, the Polish legal framework must be reviewed and updated by the legislature with regard to incorporating provisions on the collection and use of ESI. This would be beneficial for parties to proceedings, lawyers and the courts, as it would bring more clarity and transparency and would increase legal certainty for all parties involved. However, at the time of writing, there have been no announced changes to policy or legislation regarding electronic evidence in civil or criminal proceedings.
1 Anna Kobylańska and Marcin Lewoszewski are partners and Aleksandra Czarnecka and Robert Brodzik are associates at Kobylańska Lewoszewski Mednis Sp j.
2 By decision of the Szczecin Court of Appeal dated 22 October 2020, reference number: I ACa 424/20.
3 By decision of the Warsaw Court of Appeal dated 24 October 2017, reference number: VII ACa 938/17.
4 By decision of the Łódź Court of Appeal dated 1 September 2016, reference number: I ACa 254/16.
5 By decision of the Katowice Court of Appeal dated 8 February 2019, reference number: I ACa 767/18.
6 In its judgment dated 3 March 2011, reference number: V KK 311/10.
7 Additional consideration should be given to the requirements for transfers of personal data as concretised in the judgment of the Court of Justice of the European Union of 16 July 2020, C-311/18, Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (i.e., the level of the domestic privacy regime, data protection legislation or surveillance practices in the relevant country).