Data Protection in Poland

Electronic marketing in Poland

EU regulation

Electronic marketing activities are subject to the regulation of Polish data protection law, i.e. the Electronic Communication Act.

The processing of personal data for its own marketing purposes by a data controller (as well as other companies from the group) may be based on Article 6 sec. 1(f) of the GDPR, i.e. the legitimate interests of the data controller, and it does not require separate consent. However, the data subject may always object to such processing. Nevertheless, if marketing activities relate to products and services of third parties, prior consent for such processing is necessary.


Poland regulation

The issue of consent for electronic marketing is governed by Article 398 of the Electronic Communications Act. Under this provision, it is prohibited to use:

  1. automatic calling systems; or
  2. telecommunication terminal equipment, in particular in the use of interpersonal communication services,

for the purpose of sending unsolicited commercial information, including direct marketing, to a subscriber or end-user unless prior consent has been given.

The subscriber or end-user can also give consent by providing an electronic address that identifies them. (Article 398(2) Electronic Communications Act).

The collection of marketing consents according to the Electronic Communications Act consists of obtaining express and informed consent from the person concerned before the entity decides to do things such as send messages about special offers or telephone contact for marketing purposes. The person from whom consent is collected must give it themselves, e.g. by clicking a checkbox or answering ‘yes’ to a communication. Consent cannot be selected by default. It is worth mentioning that the existing consents remain valid - if the manner of giving consent complies with the conditions set out in the enacted Electronic Communications Act. Such a condition is that the collected consents comply with the provisions on personal data protection (Article 400 of the Electronic Communications Act). This means that existing consents must comply with the conditions set out in the GDPR:

  • they must be given knowingly and voluntarily;
  • must cover a specific purpose;
  • can be withdrawn;
  • must be specific and indicate the channel of future communication with the customer (e.g. SMS, telephone, email), the purpose and the entity to which the consent was given).

The consent to direct marketing and to the sending of unsolicited commercial communications should be separate from consent to the processing of personal data.

Continue reading

  • no results

Previous topic
Back to top