Data Protection in Poland

Data protection laws in Poland

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable in all Member States of the European Union on 25 May 2018, without requiring implementation by the EU Member States through national law.

The Regulation (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by the GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretations and enforcement practices among Member States.

Territorial Scope

Primarily, the application of the GDPR depends on whether an organisation is established in the EU. An 'establishment' may take a wide variety of forms and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organisation that it is not established in the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the EU where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to those data subjects or "the monitoring of their behaviour" (Article 3(2)(b)) to the extent their behaviour takes place in the EU.


Poland regulation

As a member of the European Union, Poland implemented the EU Data Protection Directive 95/46/EC in the Personal Data Protection Act of 29 August 1997 (consolidated text: Journal of Laws of 2016, item 922, hereinafter: “previous PDPA”).

In relation to GDPR, on 12 September 2017, two bills on personal data protection were published in Poland. The first one was passed into law on 25 May 2018 as the new Personal Data Protection Act of 10 May 2018 (Journal of Laws of 2019, item 1781 (“PDPA”), while the second one was passed into law on 4 May 2019 as the Act on amendments to sectorial acts accompanying the GDPR of 21 February 2019, containing amendments to over 160 sectorial regulations, including banking, insurance and labour law (Journal of Laws of 2019, item 730, hereinafter: the “Implementing Act”).

The two new pieces of legislation are aimed at implementing the GDPR into the Polish legal order, as well as regulating matters in which the GDPR leaves a certain amount of freedom for EU Member States. The new PDPA establishes a new supervisory body – the President of the Office for Personal Data Protection (hereinafter: the “Polish DPA”), which has a much wider range of powers than the previous DPA (the Inspector General for the Protection of Personal Data – hereinafter: the “Inspector General”).

A number of provisions of the Electronic Communication Act of 12 July 2024 (hereinafter: "Electronic Communication Act") are applicable to the processing of personal data by the electronic communications service provider, the electronic communications undertaking and the telecommunications undertaking and a number of sector-specific statutes relating to, among other things, employment and banking matters also contain specific regulations on the processing of personal data.

Several provisions of the law on clinical trials of medicinal products for human use of 9 March 2023 (Journal of Laws 2023, item 605) are also applicable to the processing of personal data. When carrying out clinical trials that are scientific research, it is allowed to limit the application of the provisions of articles 15, 16, 18 and 21 of the GDPR. Those restrictions may be imposed if it is likely that the rights set out in the aforementioned provisions will prevent or seriously hinder the achievement of the objectives of the clinical trial which is a scientific study, and if those restrictions are necessary to achieve those objectives. 

According to the Polish Labour Code, the employer may introduce sobriety tests on employees if necessary to ensure the protection of life and health of employees or other persons or the protection of property. The employer processes information about the date and exact time of the sobriety test and its result only if this is necessary to ensure the protection of property, and stores this information in the employee's personal file for a period not exceeding one year from the date of its collection.

Continue reading

  • no results

Back to top