Last modified 16 January 2025

Data Protection in Poland

National data protection authority in Poland

Change countries

Change country

Data protection laws in Poland

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable in all Member States of the European Union on 25 May 2018, without requiring implementation by the EU Member States through national law.

The Regulation (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by the GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretations and enforcement practices among Member States.

Territorial Scope

Primarily, the application of the GDPR depends on whether an organisation is established in the EU. An 'establishment' may take a wide variety of forms and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organisation that it is not established in the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the EU where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to those data subjects or "the monitoring of their behaviour" (Article 3(2)(b)) to the extent their behaviour takes place in the EU.

Poland regulation

As a member of the European Union, Poland implemented the EU Data Protection Directive 95/46/EC in the Personal Data Protection Act of 29 August 1997 (consolidated text: Journal of Laws of 2016, item 922, hereinafter: “previous PDPA”).

In relation to GDPR, on 12 September 2017, two bills on personal data protection were published in Poland. The first one was passed into law on 25 May 2018 as the new Personal Data Protection Act of 10 May 2018 (Journal of Laws of 2019, item 1781 (“PDPA”), while the second one was passed into law on 4 May 2019 as the Act on amendments to sectorial acts accompanying the GDPR of 21 February 2019, containing amendments to over 160 sectorial regulations, including banking, insurance and labour law (Journal of Laws of 2019, item 730, hereinafter: the “Implementing Act”).

The two new pieces of legislation are aimed at implementing the GDPR into the Polish legal order, as well as regulating matters in which the GDPR leaves a certain amount of freedom for EU Member States. The new PDPA establishes a new supervisory body – the President of the Office for Personal Data Protection (hereinafter: the “Polish DPA”), which has a much wider range of powers than the previous DPA (the Inspector General for the Protection of Personal Data – hereinafter: the “Inspector General”).

A number of provisions of the Electronic Communication Act of 12 July 2024 (hereinafter: "Electronic Communication Act") are applicable to the processing of personal data by the electronic communications service provider, the electronic communications undertaking and the telecommunications undertaking and a number of sector-specific statutes relating to, among other things, employment and banking matters also contain specific regulations on the processing of personal data.

Several provisions of the law on clinical trials of medicinal products for human use of 9 March 2023 (Journal of Laws 2023, item 605) are also applicable to the processing of personal data. When carrying out clinical trials that are scientific research, it is allowed to limit the application of the provisions of articles 15, 16, 18 and 21 of the GDPR. Those restrictions may be imposed if it is likely that the rights set out in the aforementioned provisions will prevent or seriously hinder the achievement of the objectives of the clinical trial which is a scientific study, and if those restrictions are necessary to achieve those objectives.

According to the Polish Labour Code, the employer may introduce sobriety tests on employees if necessary to ensure the protection of life and health of employees or other persons or the protection of property. The employer processes information about the date and exact time of the sobriety test and its result only if this is necessary to ensure the protection of property, and stores this information in the employee's personal file for a period not exceeding one year from the date of its collection.

Related resources

Definitions

Definitions in Poland

EU regulation

Personal data is defined as "any information relating to an identified or identifiable natural person" (Article 4). A low bar is set for "identifiable" – if the natural person can be identified using “all means reasonably likely to be used” (Recital 26) the information is personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location data or other factors which may identify that natural person.

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

The GDPR creates more restrictive rules for the processing of special categories (Article 9) of personal data (including data relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal convictions and offences (Article 10).

The GDPR is concerned with the processing of personal data. Processing has an extremely wide meaning, and includes any set of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.

Personal data may be processed by either a controller or a processor. The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Poland regulation

The Implementing act does not include any local derogations to the definitions set out in GDPR.

Authority

National data protection authority in Poland

EU regulation

Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the CNIL in France). The European Data Protection Board (the replacement for the so-called Article 29 Working Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing guidelines to encourage consistent interpretation of the Regulation.

The GDPR creates the concept of lead supervisory authority. Where there is cross-border processing of personal data (i.e. processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single establishment, the so-called lead supervisory authority (Article 56(1)).

However, the lead supervisory authority is required to cooperate with all other concerned authorities, and a supervisory authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects only in its territory (Article 56(2)).

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Poland regulation

The President of the Office for Personal Data Protection.

Office of the President for Personal Data Protection
Urzad Ochrony Danych Osobowych
Stawki 2
00-193 Warsaw
Poland

Tel. +48 22 531 03 00
Fax +48 22 243 05 69
[email protected]

Helpline (in Polish only): phone no. +48 606-950-000 is open from Monday to Friday from 10 am to 2 pm.

The Office of the President is open from Monday to Friday from 8 am to 4 pm.

Registration

Registration in Poland

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (eg, processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

Poland regulation

Under the previous PDPA (in force until May 25, 2018), as a general rule, data controllers that process personal data were obligated to notify the Inspector General about the data filing system containing that data. The Inspector General kept a register of data controllers and data filing systems, which was available to the public.

This obligation does not longer exists under the new PDPA and the Implementing act.

Data protection officers

Data protection officers in Poland

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

It is a public authority;
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale;
Its core activities consist of processing sensitive personal data on a large scale.

Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities (Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger corporate groups may find it difficult in practice to operate with a single data protection officer).

DPOs must have expert knowledge (Article 37(5)) of data protection laws and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

Controllers and processors are required to ensure that the DPO is involved "properly and in a timely manner in all issues which relate to the protection of personal data" (Article 38(1)), and the DPO must directly report to the highest management level, must not be told what to do in the exercise of his or her tasks and must not be dismissed or penalized for performing those tasks (Article 38(3)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

To inform and advise on compliance with GDPR and other Union and Member State data protection laws;
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
To advise and monitor data protection impact assessments where requested;
To cooperate and act as point of contact with the supervisory authority.

This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.

Poland regulation

According to the new PDPA, the appointment of a Data Protection Officer (DPO) must be notified to the supervisory authority within 14 days. The notification should include the name and email address of the DPO or his or her phone number. Any changes to the information provided or the dismissal of a DPO should also be notified within 14 days. The entity who appointed the DPO shall make available the DPO's details on its website or in a generally accessible manner at a place of pursuit of activity (if it does not have its own website). According to official guidance from the Polish DPA, the contact details of the DPO should be easily accessible, not hidden somewhere in long documents such as a privacy policy etc.

The Implementing act includes the possibility to designate a person to replace the DPO during their absence (e.g. temporary absence). However, it would be necessary to inform the Polish DPA about the designation in the same way as about the designation of a DPO. All rules and requirements for DPOs, such as the ones stated in article 37 of the GDPR or the obligation to inform the Polish DPA are also applicable to this person.

If a person was officially appointed as an Information Security Officer (ABI) under the previous PDPA, this person automatically became a DPO for the data controller until September 1, 2018, and provided that the appointment was notified to the President of the Office before that date, the person continues to serve as a DPO after that date.

If the data controller is obliged to appoint a DPO in accordance with Article 37 of the GDPR but did not appoint one under the previous PDPA, the appointment of the DPO should have taken place and been notified to the President of the Office before July 31, 2018.

Collection and processing

Collection and processing in Poland

EU regulation

Data protection principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency principle);
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation principle);
Adequate, relevant and limited to what is necessary in relation to the purpose(s) (data minimization principle);
Accurate and where necessary kept up-to-date (accuracy principle);
Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (storage limitation principle);
Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (integrity and confidentiality principle).

The controller is responsible for and must be able to demonstrate compliance with the above principles (accountability principle). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal basis under article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

With the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous," and must be capable of being withdrawn at any time);
Where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
Where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
Where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies);
Where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller;
Where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special category data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

With the explicit consent of the data subject;
Where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
Where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
In limited circumstances by certain not-for-profit bodies;
Where processing relates to the personal data which are manifestly made public by the data subject;
Where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their legal capacity;
Where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
Where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
Where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices;
Where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal convictions and offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a secondary purpose

Increasingly, organizations wish to re-purpose personal data – i.e. use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

Any link between the original purpose and the new purpose;
The context in which the data have been collected;
The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible);
The possible consequences of the new processing for the data subjects;
The existence of appropriate safeguards, which may include encryption or pseudonymization.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (privacy notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained:

The identity and contact details of the controller;
The data protection officer's contact details (if there is one);
Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
The recipients or categories of recipients of the personal data;
Details of international transfers;
The period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
The existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
The consequences of failing to provide data necessary to enter into a contract;
The existence of any automated decision making and profiling and the consequences for the data subject;
In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the data subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

The right of access does not apply to the activity of editing, creating or publishing press materials, as well as to literary and artistic activities.
In addition, controllers performing public tasks are exempted from the obligation under Article 15 of the GDPR if it serves the performance of a public task, if it is necessary for the purposes referred to in Article 23(1) of the GDPR, and if the performance of these obligations would prevent or significantly impede the proper performance of the public task (where the interest or fundamental rights or freedoms of the data subject are not overridden by the interest resulting from the performance of that public task) or if it would violate the protection of classified information.
The right of access is also limited due to the need for the proper performance of the public task. Data controllers who have received personal data from an entity carrying out a public task do not fulfill this obligation where the entity providing the personal data has made a request in this regard due to the necessity for the proper performance of a public task aimed, for example, at: the prevention of crime, the detection or prosecution of criminal acts or the execution of penalties, including the protection against and prevention of threats to public safety, or the protection of the economic and financial interests of the state. However, the controller must respond to a person's request in a way that makes it impossible to determine that the controller is processing personal data received from an entity performing a public task.
The Act on Clinical Trials has provided the possibility to restrict certain rights of data subjects, such as the right of access, if their exercise prevents or seriously obstructs achieving the objectives of the clinical trial and if such restriction is necessary to achieve the objectives of the trial.

Right to rectify (Article 16)

The right to rectify does not apply to the activity of editing, creating or publishing press materials, as well as to literary and artistic activities.
The Act on Clinical Trials has provided the possibility to restrict certain rights of data subjects, such as the right of rectification, if their exercise prevents or seriously obstructs achieving the objectives of the clinical trial and if such restriction is necessary to achieve the objectives of the trial.

Right to erasure ('right to be forgotten') (Article 17)

The right to erasure is subject to limitation under the Labor Code. The employer must keep employee documentation a period of 10 years after the termination of employment, which excludes the earlier deletion of such data at the request of a former employee. In addition, the Act on Accounting imposes an obligation to keep accounting records (e.g. employee pay slips, books of account) for at least 5 years.

Right to restriction of processing (Article 18)

The right to restriction of processing does not apply to the activity of editing, creating or publishing press materials, as well as to literary and artistic activities.
The Act on Clinical Trials has provided the possibility to restrict certain rights of data subjects, such as the right to restriction of processing, if their exercise prevents or seriously obstructs achieving the objectives of the clinical trial and if such restriction is necessary to achieve the objectives of the trial.

Right to data portability (Article 20)

The right to data portability does not apply to the activity of editing, creating or publishing press materials, as well as to literary and artistic activities.

Right to object (Article 21)

The right to object does not apply to the activity of editing, creating or publishing press materials, as well as to literary and artistic activities.
The Act on Clinical Trials has provided the possibility to restrict certain rights of data subjects, such as the right to objection, if their exercise prevents or seriously obstructs achieving the objectives of the clinical trial and if such restriction is necessary to achieve the objectives of the trial.

Poland regulation

The new PDPA includes some derogations from the GDPR. However, the draft of the Implementation act is likely to introduce more provisions which elaborate on the provisions of the GDPR on the collection and processing of personal data. It is important to note that the Polish legislator has decided to include derogations regarding labour law both in the new PDPA and in the Implementation act.

The new PDPA contains provisions amending, among others, the Labour Code. These provisions provide for circumstances under which the employer can carry out video surveillance, email monitoring and other employee monitoring activities. Video surveillance may be implemented if it is necessary to ensure the safety of employees or the protection of property or production control or to keep information, the disclosure of which could cause damage to the employer, confidential. Monitoring of work emails may be implemented if it is necessary to ensure maximum work efficiency and the proper use of work tools made available to the employees. The scope, means and purposes of the employee monitoring must be provided to the employees via workplace regulations or other, exhaustively listed, means at least two weeks before the monitoring starts. The legality of a particular monitoring scheme should be assessed on a case-by-case basis.

The new PDPA also prescribes the maximum retention period of the information obtained from video monitoring (it must not be stored indefinitely). The mater can be retained for three months after the recording took place, unless the recording constitutes (or may constitute) evidence in legal proceedings. In this case, the material may be stored until the final decision in the proceedings is issued. In relation to the retention period of information obtained via any other form of employee monitoring, the general rules of the GDPR apply - the material can be retained as long as is reasonably needed for the purposes for which it was collected. The remaining changes to the Labour Code are included in the Implementation act.

For example, the employer may process the personal data of its employees or job applicants referred to in Article 9(1) with consent however only if the data was given on the data subject's own initiative. Another significant amendment is to the scope of data requested when applying for a job. Although address as well as parents' names are no longer needed, contact details should be provided. Changes in video surveillance would allow an employer to locate cameras in sanitary areas upon prior consent from the enterprise trade union or the employee representative who has been chosen in the way prescribed by an employer. However, the monitoring shall not cover the premises made available to the enterprise trade union.

Related resources

Transfer

Transfer in Poland

EU regulation

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1) of GDPR).

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

It is worth mentioning that the European Commission has adopted an adequacy decision in relation to the EU-US data protection framework. The decision states that the US provides an adequate level of protection - comparable to that of the European Union - for personal data transferred from the EU to US companies under the new framework.

Related resources

Security

Security in Poland

EU regulation

The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate, context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A 'one size fits all' approach is therefore the antithesis of this requirement.

However, the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident,
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

Poland regulation

The Implementing Act does not include any derogations from the GDPR.

Related resources

Breach notification

Breach notification in Poland

EU regulation

The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority, and for more serious breaches to also be notified to the affected data subjects. A personal data breach is a wide concept, defined as any "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed" (Article 4).

The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the personal data breach is likely to result in a high risk to natural persons, the controller is also required to notify the affected data subjects without undue delay (Article 34).

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

The notification to the supervisory authority must include, where possible, the categories and approximate numbers of individuals and records concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the breach, and the measures taken to mitigate any harm (Article 33(3)).

Controllers are also required to keep records of all data breaches (Article 33(5)) (irrespective of whether they are notified to the supervisory authority) and permit audits of the records by the supervisory authority.

Poland regulation

In Poland, the breach notification obligations under the Telecommunications Act were replaced by the breach notification obligations under the terms specified in Commission Regulation (EU) No. 611/2013 of 24 June 2013 regarding measures applicable to the notification of personal data breaches under Directive 2002/58/ EC of the European Parliament and of the Council on privacy and electronic communications (Regulation 611/2013).

A personal data breach should be reported by the provider of telecommunications services to the Polish DPA immediately, and no later than 24 hours after the detection of the personal data breach. This deadline results from Article 2 section (2) of Regulation 611/2013. Because this period is shorter than the period indicated in the GDPR, telecommunications undertakings will have to make every effort to send the information required by law within 24, not 72, hours. Therefore, the personal data breach should be notified electronically by filling out the appropriate form.

If a data breach could have a negative impact on the rights of a subscriber or end user (i.e. a natural person), the service provider should also - immediately (i.e. without undue delay) - inform the subscriber or end user about the breach (in addition to informing the Polish DPA) in accordance with Regulation 611/2013.

Under the new Electronic Communications bill, the breach notification obligations continue to be superseded by the breach notification obligations under Commission Regulation (EU) No. 611/2013, so relevant provisions remain unchanged.

Related resources

Enforcement

Enforcement in Poland

EU regulation

In 2021, the Polish DPA issued seventeen administrative fines. Most of them were connected with a failure of an entity to provide information to or cooperate with the Polish DPA , as well as not having sufficient technical and organisational measures to ensure information security.

The biggest fine of 2021 was imposed on a company that provides comprehensive, integrated media and telecommunications services. Its infringement consisted in the failure to implement appropriate technical and organisational measures to ensure the security of personal data processed in cooperation with a courier service provider. The large number of data breaches involved the loss of correspondence with personal data or the delivery of correspondence to the wrong recipient. The company’s data controller reported the breaches to the supervisory authority and notified the affected individuals two or even three months after they occurred. The company was fined EUR 245,000.

Another fine was issued on 14 October 2021. The Polish DPA had become aware of a data protection breach following a complaint against a bank. It turned out that correspondence sent by the bank through a courier service containing personal data (e.g. first name, surname, PESEL number, home address, account numbers and identification numbers of customers) had been lost. The bank had failed to report the incident to the Polish DPA and provide adequate notice to the data subjects and was fined EUR 78,000.

Another decision was issued against an insurance company for failing to report a personal data breach to the Polish DPA and failing to notify the data subject of the breach. The breach was caused by an employee of a financial intermediary sending an insurance needs analysis and an insurance offer, including data such as first name, surname, PESEL number, city, postal code and information on the subject of the insurance, by e-mail to the wrong recipient. The fine was EUR 35,300.

Another fine resulting from a failure to report a personal data breach to the Polish DPA was imposed on a generator, distributor and retailer of electricity. The breach involved sending an email with an unencrypted, non-password-protected attachment containing the personal data of several hundred people. The sender of the email was an associate of the company, which was fined EUR 30,000.

The last of the major fines imposed in 2021 concerned the National School of Judiciary and Public Prosecution, whose data controller failed to implement sufficient technical and organisational measures related to its training platform website. During a test migration to a new platform, the data of more than 50,000 individuals had been exposed on the Internet. The Polish DPA imposed a fine of EUR 22,200.

Poland regulation

In 2022, the Polish DPA issued ten decisions imposing administrative fines which, similarly to the previous year, concerned the failure to provide information to the Polish DPA, lack of cooperation with the Polish DPA, and the use of insufficient technical and organisational measures to ensure information security.

So far, the highest fine of 2022, i.e. EUR 1,000,000, was imposed on an electricity and gas trading company, which sells electricity and gas to both business and household end users. The company failed to implement appropriate technical and organisational measures, but also did not properly verify its data processor. The Polish DPA found that unauthorised persons had managed to access and siphon off customer data and blamed both the controller and the processor for the personal data breach affecting more than 100,000 individuals for five days. As a result, the processor was also fined EUR 53,000.

Another fine was imposed on a bank which did not report a personal data breach to the Polish DPA in a timely manner, despite the fact that around 10,500 people were affected. In its decision, the Polish DPA emphasised that it was not necessary for the risk to have actually materialised, but the mere fact that it could have, was sufficient. The bank was fined EUR 118,000.

One recent decision concerned a telecoms operator that failed to report a data breach to the Polish DPA within 24 hours in accordance with the provisions of Telecommunications Act. The company’s data controller also did not notify the affected individuals. The breach occurred during the process of concluding a contract, as an email containing a copy of the contract and its annexes was sent to an address incorrectly indicated by the customer. This was not the first time the entity had not notified the Polish DPA of a data breach by the required deadline, which also had an impact on the fine, which was EUR 53,000.

The same telecoms operator is also the owner of a company providing prepaid and postpaid wireless voice, text and data communications services throughout Poland. This case started in 2019 when the Polish DPA imposed a fine of EUR 444,000 for the lack of appropriate technical and organisational measures to ensure the security of the data it was processing. The company lodged an appeal following the decision and as a result the administrative court stated that the Polish DPA should re-assess the amount of the fine. The company had to pay a fine in the amount of EUR 374,00.

In 2023, the Polish DPA imposed a fine of EUR 24 000 on insurance company for failing to report a data breach within the required 72-hour timeframe. The breach involved an unauthorized recipient receiving an email with sensitive personal data, including names, addresses, and insurance details. Despite being aware of the incident, the company did not notify the supervisory authority, leading to the fine. The decision highlights the importance of timely reporting and proper risk assessment to protect individuals' data rights.

In 2024, the Polish DPA imposed an administrative fine of EUR 326 000 on the bank for failing to report a personal data protection breach. The Polish DPA found out about the personal data protection breach at the Bank from the media. It involved the publicising of bank documents contained in a parcel abandoned on one of the housing estates, after it had previously been stolen from a courier company. The Polish DPA emphasized that the risk assessment of an individual's rights or freedoms should be viewed from the perspective of the person at risk, rather than the Controller's interests. Failing to report a data breach to both the affected individuals and the Polish DPA hinders an appropriate response and risk evaluation, potentially leading to serious consequences for the data subjects.

In 2024, the Polish DPA imposed a monetary penalty on an entity whose employee lost a memory stick. The memory stick contained partially encrypted personal data of another controller employee. The lost external data carrier contained unencrypted files with the employee's personal data in terms of name, home address, nationality, gender, date of birth, PESEL number, passport series and number, telephone number, email address, photograph (image) and salary details. In addition, the data medium also contained encrypted financial data files. It was found that the company failed to apply appropriate technical and organisational measures to protect personal data, which violated the principles of integrity, confidentiality and accountability. The controller was fined EUR 56,000.

Electronic marketing

Electronic marketing in Poland

EU regulation

Electronic marketing activities are subject to the regulation of Polish data protection law, i.e. the Electronic Communication Act.

The processing of personal data for its own marketing purposes by a data controller (as well as other companies from the group) may be based on Article 6 sec. 1(f) of the GDPR, i.e. the legitimate interests of the data controller, and it does not require separate consent. However, the data subject may always object to such processing. Nevertheless, if marketing activities relate to products and services of third parties, prior consent for such processing is necessary.

Poland regulation

The issue of consent for electronic marketing is governed by Article 398 of the Electronic Communications Act. Under this provision, it is prohibited to use:

automatic calling systems; or
telecommunication terminal equipment, in particular in the use of interpersonal communication services,

for the purpose of sending unsolicited commercial information, including direct marketing, to a subscriber or end-user unless prior consent has been given.

The subscriber or end-user can also give consent by providing an electronic address that identifies them. (Article 398(2) Electronic Communications Act).

The collection of marketing consents according to the Electronic Communications Act consists of obtaining express and informed consent from the person concerned before the entity decides to do things such as send messages about special offers or telephone contact for marketing purposes. The person from whom consent is collected must give it themselves, e.g. by clicking a checkbox or answering ‘yes’ to a communication. Consent cannot be selected by default. It is worth mentioning that the existing consents remain valid - if the manner of giving consent complies with the conditions set out in the enacted Electronic Communications Act. Such a condition is that the collected consents comply with the provisions on personal data protection (Article 400 of the Electronic Communications Act). This means that existing consents must comply with the conditions set out in the GDPR:

they must be given knowingly and voluntarily;
must cover a specific purpose;
can be withdrawn;
must be specific and indicate the channel of future communication with the customer (e.g. SMS, telephone, email), the purpose and the entity to which the consent was given).

The consent to direct marketing and to the sending of unsolicited commercial communications should be separate from consent to the processing of personal data.

Online privacy

Online privacy in Poland

EU regulation

Regulations under Electronic Communications bill concerning online privacy remain unchanged. The Electronic Communications Act regulates the collection of transmission and location data and the use of cookies (and similar technologies).

Transmission data

The processing of transmission data (understood as data processed for the purpose of transferring messages within telecommunications networks or charging payments for telecommunications services, including location data, which should be understood as any data processed in a telecommunications network or as a part of telecommunications services indicating the geographic location of the terminal equipment of a user of publicly available telecommunications services) for marketing telecommunications services or for providing value-added services is permitted if the user (i.e. subscriber or end user) gives his or her consent.

The provider of electronic communication services shall be obliged to inform the end-user or subscriber in particular of:

the scope and purpose of the processing of transmission data and other data concerning them;
the possibilities of influencing the scope of this processing;
the type of transmission data that will be processed and the duration of such processing for the purposes of marketing electronic communication services or the provision of value-added services.

Location data

In order to use data about location (understood as location data beyond the data necessary for message transmission or billing), a provider of publicly available telecommunications services has to:

Obtain the consent of the user to process data about location concerning this user, which may be withdrawn for a given period or in relation to a given call; or
Anonymize this data.

A provider of electronic communication services is obliged to inform the user, prior to receiving its consent, about the type of data about location which is to be processed, about the purpose and time limits of the processing, and whether this data is to be passed on to another entity in order to provide a value-added service.

Processing data about location may only be performed by entities that:

Are authorized by a provider of electronic communication services;
Provide a value-added service.

Data about location may be processed only for purposes necessary to provide value-added services and other purposes indicated in the Act.

Cookies

According to the art. 399 of the Electronic Communications Act the use and storage of cookies and similar technologies is only allowed on the condition that:

The subscriber or the end user is directly informed in advance in an unambiguous, simple and understandable manner about:
- The purpose of storing and the manner of gaining access to this information;
- The possibility to define the condition of the storing or the gaining of access to this information by using settings of the software installed on his or her telecommunications terminal equipment or service configuration;
The subscriber or end user, having obtained the information referred to above, gives his / her consent; and
The stored information or the gaining of access to this information does not cause changes in the configuration of the subscriber's or end user's telecommunications terminal equipment or in the software installed on this equipment (the end user may grant consent by using the settings of the software installed in the final telecommunications device that he / she uses or by the service configuration).

The consent of the subscriber or end user is not required if storage or gaining access to cookies is necessary for:

Transmitting a message using a public telecommunications network;
Delivering a service rendered electronically, as required by the subscriber or the end user.

Entities providing telecommunications services or services by electronic means may install software on the subscriber’s or end user’s terminal equipment intended for using these services or use this software, provided that the subscriber or end user:

Is directly informed, before the installation of the software, in an unambiguous, simple and understandable manner, about the purpose of installing this software and about the manner in which the service provider uses this software;
Is directly informed, in an unambiguous, simple and understandable manner, about the manner in which the software may be removed from the end user’s or subscriber’s terminal equipment;
Gives its consent to the installation and use of the software prior to its installation.

According to the art. 400 of the Electronic Communications Act, the consent of the subscriber or the end user must comply with the GDPR requirements as regards the format.

Enforcement and sanctions

A company that processes transmission data contrary to the Telecommunications Act or fails to meet obligations to obtain consent to process data about location or to store and to gain access to cookies may be subject to a fine of up to 3% of the company’s revenues for the previous calendar year. The fine is imposed by the President of the OEC. In addition, the President of the OEC may impose a fine on a person holding a managerial position in the company (such as a member of the management board) of up to 300% of his or her monthly remuneration.

Poland regulation

Failing to meet the obligations to obtain consent to direct marketing by means of telecommunications devices and automated calling systems may be subject to a fine of up to 3% of the revenues of the fined company for the previous calendar year or up to PLN 1,000,000. When imposing the sanction, the higher amount is applied. The fine is imposed by the President of the Office of Electronic Communication (hereinafter referred to as the President of the OEC). In addition, the President of the OEC may impose a fine on a person holding a managerial position in the company (such as a member of the management board) of up to 300% of his or her monthly remuneration.