Data Protection in Poland

Registration in Poland

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (eg, processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.


Poland regulation

Under the previous PDPA (in force until May 25, 2018), as a general rule, data controllers that process personal data were obligated to notify the Inspector General about the data filing system containing that data. The Inspector General kept a register of data controllers and data filing systems, which was available to the public.

This obligation does not longer exists under the new PDPA and the Implementing act.

Continue reading

  • no results

Previous topic
Back to top