Data Protection in Poland

Collection and processing in Poland

EU regulation

Data protection principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

  • Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency principle);
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation principle);
  • Adequate, relevant and limited to what is necessary in relation to the purpose(s) (data minimization principle);
  • Accurate and where necessary kept up-to-date (accuracy principle);
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (storage limitation principle);
  • Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (integrity and confidentiality principle).

The controller is responsible for and must be able to demonstrate compliance with the above principles (accountability principle). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal basis under article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

  • With the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous," and must be capable of being withdrawn at any time);
  • Where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
  • Where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
  • Where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies);
  • Where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller;
  • Where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special category data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

  • With the explicit consent of the data subject;
  • Where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
  • Where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
  • In limited circumstances by certain not-for-profit bodies;
  • Where processing relates to the personal data which are manifestly made public by the data subject;
  • Where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their legal capacity;
  • Where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
  • Where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
  • Where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices;
  • Where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal convictions and offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a secondary purpose

Increasingly, organizations wish to re-purpose personal data – i.e. use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

  • Any link between the original purpose and the new purpose;
  • The context in which the data have been collected;
  • The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible);
  • The possible consequences of the new processing for the data subjects;
  • The existence of appropriate safeguards, which may include encryption or pseudonymization.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (privacy notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

  • The identity and contact details of the controller;
  • The data protection officer's contact details (if there is one);
  • Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
  • The recipients or categories of recipients of the personal data;
  • Details of international transfers;
  • The period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
  • The existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
  • Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
  • The consequences of failing to provide data necessary to enter into a contract;
  • The existence of any automated decision making and profiling and the consequences for the data subject;
  • In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the data subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

  • The right of access does not apply to the activity of editing, creating or publishing press materials, as well as to literary and artistic activities.
  • In addition, controllers performing public tasks are exempted from the obligation under Article 15 of the GDPR if it serves the performance of a public task, if it is necessary for the purposes referred to in Article 23(1) of the GDPR, and if the performance of these obligations would prevent or significantly impede the proper performance of the public task (where the interest or fundamental rights or freedoms of the data subject are not overridden by the interest resulting from the performance of that public task) or if it would violate the protection of classified information.
  • The right of access is also limited due to the need for the proper performance of the public task. Data controllers who have received personal data from an entity carrying out a public task do not fulfill this obligation where the entity providing the personal data has made a request in this regard due to the necessity for the proper performance of a public task aimed, for example, at: the prevention of crime, the detection or prosecution of criminal acts or the execution of penalties, including the protection against and prevention of threats to public safety, or the protection of the economic and financial interests of the state. However, the controller must respond to a person's request in a way that makes it impossible to determine that the controller is processing personal data received from an entity performing a public task.
  • The Act on Clinical Trials has provided the possibility to restrict certain rights of data subjects, such as the right of access, if their exercise prevents or seriously obstructs achieving the objectives of the clinical trial and if such restriction is necessary to achieve the objectives of the trial.

Right to rectify (Article 16)

  • The right to rectify does not apply to the activity of editing, creating or publishing press materials, as well as to literary and artistic activities.
  • The Act on Clinical Trials has provided the possibility to restrict certain rights of data subjects, such as the right of rectification, if their exercise prevents or seriously obstructs achieving the objectives of the clinical trial and if such restriction is necessary to achieve the objectives of the trial.

Right to erasure ('right to be forgotten') (Article 17)

  • The right to erasure is subject to limitation under the Labor Code. The employer must keep employee documentation a period of 10 years after the termination of employment, which excludes the earlier deletion of such data at the request of a former employee. In addition, the Act on Accounting imposes an obligation to keep accounting records (e.g. employee pay slips, books of account) for at least 5 years.

Right to restriction of processing (Article 18)

  • The right to restriction of processing does not apply to the activity of editing, creating or publishing press materials, as well as to literary and artistic activities.
  • The Act on Clinical Trials has provided the possibility to restrict certain rights of data subjects, such as the right to restriction of processing, if their exercise prevents or seriously obstructs achieving the objectives of the clinical trial and if such restriction is necessary to achieve the objectives of the trial.

Right to data portability (Article 20)

  • The right to data portability does not apply to the activity of editing, creating or publishing press materials, as well as to literary and artistic activities.

Right to object (Article 21)

  • The right to object does not apply to the activity of editing, creating or publishing press materials, as well as to literary and artistic activities.
  • The Act on Clinical Trials has provided the possibility to restrict certain rights of data subjects, such as the right to objection, if their exercise prevents or seriously obstructs achieving the objectives of the clinical trial and if such restriction is necessary to achieve the objectives of the trial.

Poland regulation

The new PDPA includes some derogations from the GDPR. However, the draft of the Implementation act is likely to introduce more provisions which elaborate on the provisions of the GDPR on the collection and processing of personal data. It is important to note that the Polish legislator has decided to include derogations regarding labour law both in the new PDPA and in the Implementation act.

The new PDPA contains provisions amending, among others, the Labour Code. These provisions provide for circumstances under which the employer can carry out video surveillance, email monitoring and other employee monitoring activities. Video surveillance may be implemented if it is necessary to ensure the safety of employees or the protection of property or production control or to keep information, the disclosure of which could cause damage to the employer, confidential. Monitoring of work emails may be implemented if it is necessary to ensure maximum work efficiency and the proper use of work tools made available to the employees. The scope, means and purposes of the employee monitoring must be provided to the employees via workplace regulations or other, exhaustively listed, means at least two weeks before the monitoring starts. The legality of a particular monitoring scheme should be assessed on a case-by-case basis.

The new PDPA also prescribes the maximum retention period of the information obtained from video monitoring (it must not be stored indefinitely). The mater can be retained for three months after the recording took place, unless the recording constitutes (or may constitute) evidence in legal proceedings. In this case, the material may be stored until the final decision in the proceedings is issued. In relation to the retention period of information obtained via any other form of employee monitoring, the general rules of the GDPR apply - the material can be retained as long as is reasonably needed for the purposes for which it was collected. The remaining changes to the Labour Code are included in the Implementation act.

For example, the employer may process the personal data of its employees or job applicants referred to in Article 9(1) with consent however only if the data was given on the data subject's own initiative. Another significant amendment is to the scope of data requested when applying for a job. Although address as well as parents' names are no longer needed, contact details should be provided. Changes in video surveillance would allow an employer to locate cameras in sanitary areas upon prior consent from the enterprise trade union or the employee representative who has been chosen in the way prescribed by an employer. However, the monitoring shall not cover the premises made available to the enterprise trade union.

Continue reading

  • no results

Previous topic
Back to top