DLA Piper Intelligence

Data Protection
Laws of the World

Law

Poland
Poland

As a member of European Union, Poland implemented EU Data Protection Directive 95/46/ EC in the Personal Data Protection Act of 29 August 1997 (consolidated text: Journal of laws of 2016, item 922 , hereinafter referred to as the "PDPA"). To the extent relating to the processing of personal data by providers of publicly available telecommunications services, a number of provisions of the Telecommunications Act of 16 July 2004 (consolidated text: Journal of laws 2016, item 1489, hereinafter referred to as the "Telecommunications Act") are applicable. In addition, a number of sector-specific statutes relating to, among others, employment and banking also contain specific regulations on the processing of personal data.

Last modified 26 Jan 2017
Law
Poland

As a member of European Union, Poland implemented EU Data Protection Directive 95/46/ EC in the Personal Data Protection Act of 29 August 1997 (consolidated text: Journal of laws of 2016, item 922 , hereinafter referred to as the "PDPA"). To the extent relating to the processing of personal data by providers of publicly available telecommunications services, a number of provisions of the Telecommunications Act of 16 July 2004 (consolidated text: Journal of laws 2016, item 1489, hereinafter referred to as the "Telecommunications Act") are applicable. In addition, a number of sector-specific statutes relating to, among others, employment and banking also contain specific regulations on the processing of personal data.

Last modified 26 Jan 2017
Definitions

Definition of personal data

The PDPA states that personal data shall mean any information relating to an identified or identifiable natural person. An identifiable person is the one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.

A piece of information shall not be regarded as identifying where the identification requires an unreasonable amount of time, cost and manpower.

Definition of sensitive personal data

Although the PDPA does not contain per se a legal definition of sensitive personal data, pursuant to the reading of the PDPA sensitive personal data includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, party or trade union membership, as well as data concerning health, genetic code, addictions or sex life and data relating to convictions, decisions on penalty, fines and other decisions issued in court or administrative proceedings.

Last modified 26 Jan 2017
Authority

The Inspector General for the Protection of Personal Data (hereinafter referred to as the "Inspector General")

(Polish: Generalny Inspektor Ochrony Danych Osobowych)

Contact information:

(Office of the Inspector General for the Protection of Personal Data)

Biuro Generalnego Inspektora Ochrony Danych Osobowych

Stawki 2

00-193 Warsaw, Poland

T (22) 531 03 00 F (22) 531 03 01

kancelaria@giodo.gov.pl

The Office of the Inspector General is open from Monday to Friday from 8 am to 4 pm.

Last modified 26 Jan 2017
Registration

As a general rule, data controllers who process personal data must notify the Inspector General about the data filing system containing such data. The Inspector General keeps a register of data controllers and data filing systems, which is available to the public.

The obligation to register data filing systems does not apply to the data controllers of data which:

  • include confidential information

  • were collected as a result of inquiry procedures conducted by officers of bodies authorised to conduct such inquiries

  • are processed by relevant bodies for the purpose of court proceedings and on the basis of the provisions on the National Criminal Register

  • are processed by the Inspector General of Financial Information

  • are processed by relevant bodies for the purpose of Poland’s participation in the Schengen Information System and Visa Information System

  • are processed by relevant bodies on the grounds of laws which regulate the exchange of information with law enforcement agencies of EU Member States

  • relate to the members of churches or other religious unions with an established legal status, being processed for the purposes of these churches or religious unions

  • are processed in connection with the employment by a data controller or providing services for a data controller on the grounds of civil law contracts, and also refer to the controller’s members and trainees

  • refer to the persons availing themselves of health care services, notarial or legal advice, patent agent, tax consultant or auditor services 
  • are created on the basis of electoral regulations concerning the Lower Chamber of the Polish Parliament, the Senate, the European Parliament, communal councils, district councils and provincial councils, the President of the Republic of Poland, the head of a commune, the mayor or president of a city, and acts on national referendums and municipal referendums
     
  • refer to persons imprisoned under the relevant law, within the scope required for carrying out the provisional detention or imprisonment

  • are processed exclusively for the purpose of issuing an invoice, a bill, or for accounting purposes

  • are publicly available

  • are processed in the preparation of a thesis required to graduate from a university or be awarded a research degree

  • are processed with regard to minor, everyday affairs, or

  • are processed in data filing systems that are not generated with the use of IT systems, with the exception of sensitive personal data.

In addition, a data controller is exempted from the obligation to register data filing systems if it processes non-sensitive personal data and it has appointed a data protection officer (Polish: Administrator Bezpieczeństwa Informacji). The appointment of a data protection officer should be notified to the Inspector General, who keeps a public register of data protection officers. The notification procedure is formalised.

 

The data controller may start processing personal data after notification of a data filing system has been submitted for registration to the Inspector General, unless the controller is exempted from this obligation under the PDPA. However, the data controller may start processing sensitive personal data only after the relevant data filing system has been registered with the Inspector General, unless the data controller is exempted from this obligation under the PDPA.

The notification for the registration of a data filing system should include the following information:

  • an application for entering the data filing sytem in the register of filing systems
     
  • information about the data controller and the address of its seat or place of residence, including the identification number from the National Official Business Register if such a number was granted, as well as the legal basis for maintaining the data filing system and, in the case of entrusting data processing to another entity or appointing a representative, information about that entity/representative and the address of its seat or place of residence 
     
  • the purpose of the processing
     
  • a description of the categories of the data subjects
     
  • the scope of processing of the data
     
  • the means of data collection and disclosure
  • information about the recipient or categories of recipients to whom data may be disclosed

 

  • a description of the technical and organisational measures undertaken in order to comply with the goals defined in the PDPA, and
     
  • information relating to the possible data transfer to a third country.

The data controller must notify the Inspector General about changes made to a data filing system with respect to the abovementioned information within 30 days of the change being made. However, if the change would result in the processing of sensitive personal data, the data controller must notify the Inspector General before it is introduced.

Last modified 26 Jan 2017
Data Protection Officers

A data controller is not obliged to appoint a data protection officer. However, if a data protection officer is appointed and registered with the Inspector General, the data controller is not obliged to register a data filing system with the Inspector General provided that the data processed are non-sensitive. The data protection officer is not explicitly required to be a citizen or resident of Poland, but he/she must (i) have full capacity to perform legal acts and enjoy full civil rights; (ii) have relevant knowledge in the field of personal data protection; and (iii) not have been punished for an intentional offence.

The scope of the data protection officer's duties is specified in the PDPA. According to the PDPA, a data protection officer is obliged to:

  • ensure compliance with provisions on the protection of personal data, in particular to:

    • check compliance of personal data processing with the provisions on the protection of personal data and prepare a report in this regard for the data controller

    • supervise the development and updating of the security policy and the computer system management instruction and ensure compliance with the principles specified in these documents

    • ensure that the persons authorised to process personal data become acquainted with provisions on the protection of personal data

  • keep a register of data filing systems processed by a data controller (subject to the exceptions set out in the PDPA) whereby the register must contain the name of the data filing system and certain information required for notifying the data filing system set out in the PDPA, and

  • comply with a request from the Inspector General to carry out an inspection regarding the data controller's compliance with provisions on the protection of personal data, indicating the scope and date of the inspection.

The data controller is obliged to ensure that the data protection officer has adequate resources and is organisationally autonomous and that he reports directly to the head of the organisational unit (which is usually the management board or chairman of the board) or to an individual who is the data controller.

The procedure for the notification of the appointment and removal of a data protection officer by a data controller is formalised and notification should be made to the Inspector General within 30 days of the appointment or removal of a data protection officer.

If a data controller decides not to appoint a data protection officer, the duties of the data protection officer are performed by the data controller itself, except for the obligation to prepare reports on the compliance with provisions on the protection of personal data. In such a situation, the data controller does not keep a register of data filing systems, but it is obliged to register data filing systems with the Inspector General, unless the PDPA provides for an exemption from this obligation (e.g. if the processing is related to the data controller's employment-related activity).

 

Last modified 26 Jan 2017
Collection & Processing

The processing of data is permitted only if:

  • the data subject has given his/her consent, unless the processing consists in erasure of personal data;
     
  • processing is necessary to exercise rights and duties resulting from a legal provision
     
  • processing is necessary for the performance of an agreement to which the data subject is a party, or in order to take steps prior to entering to an agreement at the request of the data subject
     
  • processing is necessary for the performance of tasks provided for by law and carried out in the public interest, or
     
  • processing is necessary for the purpose of pursuing the legitimate interests of the data controller or data recipients, provided that the processing does not violate the rights and freedoms of a data subject.

The default processing of sensitive personal data is not allowed, unless at least one of the following conditions is met:

  • the data subject has given his/her written consent, unless the processing consists of the erasure of his/her personal data
  • specific provisions of another statute allow the processing of such data without the data subject’s consent and provide appropriate safeguards

  • processing is necessary to protect the vital interests of a data subject or another person, where a data subject is physically or legally incapable of giving his/her consent, until a legal guardian is established

  • processing is necessary for carrying out the statutory objectives of churches and other religious unions, associations, foundations, and other non-profit organisations or institutions of a political, scientific, religious, philosophical, or trade union character, provided that the processing relates solely to the members of those organisations or institutions or to persons who have regular contact with them in connection with their activity and subject to providing appropriate safeguards of the processed data

  • processing relates to personal data necessary to pursue a legal claim

  • processing is necessary for the data controller to carry out its obligations with regard to the employment of its employees and other persons, provided that the scope of processing is covered by law

  • processing is conducted for preventive medical purposes or the provision of care/treatment, where personal data is processed by health professionals involved in the treatment or the provision of other healthcare services or the management of healthcare services, and where the processing is subject to appropriate safeguards

  • processing relates to personal data made publicly available by a data subject

  • processing is necessary to conduct scientific research, including the preparation of a thesis required for graduation from university or for receiving a research degree; any results of academic research must not be published in a way that allows the identification of data subjects, or

  • data processing is conducted in order to exercise rights and duties resulting from decisions issued by courts or during administrative proceedings.

A data controller, subject to the exceptions set out in the PDPA, is obliged to provide a data subject with the following information:

  • the address of its seat and its full name, and if the data controller is a natural person - the address of his/her residence and his/her full name
  • the purpose of data collection and the data recipients, or categories of recipients, if known as of date of collection

  • the data subject’s right of access to his/her data and the right to rectify the data, and

  • whether the collection of data is obligatory or voluntary, and if it is obligatory, about its legal basis.

If personal data is not obtained from the data subject itself, the data controller is obliged to provide, in addition to the above, the following information:

  • the scope of the collected data
  •  the source of the data

 

  • the right of the data subject, in the event the processing is necessary for the performance of tasks provided for by law and carried out in the public interest; or in the event the processing is necessary to exercise legitimate interests pursued by a data controller:

    • to make a justified demand in writing for the blocking of the processing of his/her data, due to his/her particular personal situation, or

    • to object to the processing of his/her personal data if the data controller intends to process the data for marketing purposes or to object to the transfer of the data to another controller.

Last modified 26 Jan 2017
Transfer

The transfer of personal data to a third country (i.e. a country outside the European Economic Area) may take place only if the country of destination ensures an adequate level of data protection.

The adequate level of protection of personal data is evaluated taking into account all the circumstances surrounding the data transfer, in particular taking into account the nature of the data, the purpose and duration of the proposed processing operation, the country of origin and country of final destination of the data, the laws applicable in the third country, safety measures used in this country and business conduct.

The transfer of personal data is allowed if it is required by legal provisions or by the provisions of any ratified international agreement that guarantees an adequate level of personal data protection.

Nevertheless, a data controller may transfer the personal data to a third country provided that:

  1. the data subject has given his/her written consent

  2. the transfer is necessary for the performance of an agreement between the data subject and the data controller or takes place in response to the data subject’s request

  3. the transfer is necessary for the performance of an agreement concluded in the interests of the data subject between the data controller and another party

  4. the transfer is necessary or required by reasons of public interest or for the establishment of legal claims

  5. the transfer is necessary in order to protect the vital interests of the data subject, or

  6. the transfer relates to data which are publicly available.

In cases other than those referred to above, the transfer of personal data to a third country which does not ensure at least the same level of personal data protection as that in force in Poland may take place subject to the prior written consent of the Inspector General, provided that the data controller ensures adequate safeguards with respect to the protection of the privacy, rights and freedoms of the data subject. However, the prior written consent of the Inspector General is not required if the data controller ensures adequate safeguards with respect to the protection of privacy by means of :

  •  executing an agreement with a data importer based on the Standard Contractual Clauses approved by the European Commission, or
  • implementing 'Binding Corporate Rules' which have been approved by the Inspector Inspector.

Until October 2015, for the transfer of data to the United States, compliance with US/EU Safe Harbor principles satisfied the requirement of the PDPA and the consent of the Inspector General was not required.

However, as a result of the judgment of the Court of Justice of the European Union on 6 October 2015 in the case of Schrems (C-362/14), the US-EU Safe Harbor agreement is no longer regarded as a valid basis for transferring personal data to the US. A new mechanism - the so-called "Privacy Shield" can be used instead as a legal basis for transferring personal data to the US. The consent of the Inspector General is not required in this respect.

Last modified 26 Jan 2017
Security

The data controller is obliged to implement technical and organisational measures to protect the personal data being processed, appropriate to the risks and category of data being protected, and to protect data against unauthorised disclosure, takeover by an unauthorised person, processing which violates the PDPA, any change, loss, damage or destruction, and in particular the data controller must:

  • keep the documentation describing the way of data processing and security measures (security policy and computer system management instruction)
  • appoint a data protection officer who supervises the compliance with security measures (however, as mentioned above, if a data protection officer is not appointed, the given tasks in this regard are performed by the data controller)
  • ensure supervision over the following: what data is entered into the filing system, when, and by whom, and to whom they are transferred, and
  • grant authorisation to persons who are allowed to carry out the processing of personal data in the data controller's establishment and keep a register of those authorised persons, including the following information: full name of the authorised person, date of granting and expiry of the authorisation to access personal data, as well as the scope thereof, and an identifier if the data are processed in a computer system.

There are three levels of security measures prescribed under the PDPA depending on the category of data and means of processing implemented: "basic", "medium" and "high". In the event no sensitive data is processed and none of the devices of the IT system used for data processing is connected to the public network (i.e. the Internet), at least a basic level of security must be applied. If the data controller processes sensitive data, at least medium level security measures should be applied. However, if at least one device of the IT system used for data processing is connected to the public network, high level security measures must be applied.

Last modified 26 Jan 2017
Breach Notification

There is no requirement in the PDPA to notify data security breaches or losses of data to the Inspector General or to data subjects. However, pursuant to the Telecommunications Act, the provider of telecommunications services is obliged to immediately, but not later than within 3 days of learning about a data breach, notify the Inspector General about such a data breach. In the event that a data breach could have a negative impact on the rights of a subscriber or end user being an individual, the service provider should immediately, but not later than within 3 days of learning about the data breach, also inform the subscriber or end user (in addition to informing the Inspector General) about this breach.

Under the Telecommunications Act, a personal data breach is any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data processed in connection with the provision of publicly available telecommunications services by a telecommunications provider. A personal data breach which may have an adverse effect on the rights of a subscriber or end user being an individual means a breach which, in particular, may result in unauthorised use of personal data, damage to property, harm caused to personal interests, or disclosure of a bank secret or other professional secret protected by law.

It is not required to notify the Inspector General if the provider of publicly available telecommunications services (acting as a data controller) has implemented appropriate technical and organisational protection measures provided for in the PDPA that prevent the reading of data by unauthorised persons and has applied those measures to the data whose protection has been breached (e.g. anonymization of personal data).

If the provider of publicly available telecommunications services fails to notify a subscriber or an end user being an individual of a personal data breach, the Inspector General may impose on the provider, by means of an administrative decision, an obligation to notify subscribers or end users about that breach, taking into account the potential adverse effect thereof.

Last modified 26 Jan 2017
Enforcement

In Poland, the Inspector General is responsible for the enforcement of the PDPA. The Inspector General is entitled to perform audits of data controllers in order to determine their compliance with regulations on the protection of personal data.

In the event of a breach of the provisions on personal data protection, the Inspector General ex officio or upon a motion of a person concerned, by means of an administrative decision, may issue an order to restore the proper legal state, and in particular to:

  • remedy the breach

  • complete, update, correct, disclose, or not disclose personal data

  • apply additional measures protecting the collected personal data

  • suspend the transfer of personal data to a third country

  • safeguard the data or transfer them to other entities

  • erase the personal data.

Failure to comply with a decision of the Inspector General may be subject to an administrative fine of up to PLN 50,000 in the case of a legal person (approx. EUR 10,000 as of January 2017) or of up to PLN 10,000 in the case of an individual (approx. EUR 2,100 as of January 2017), imposed in order to enforce compliance with the issued decision. A fine may be applied a number of times, however, the total amount of cumulated fines may not exceed PLN 200,000 in the case of a legal person (approx. EUR 42,000 as of January 2017) or PLN 50,000 in the case of an individual (approx. EUR 10,000 as of January 2017).

Furthermore, certain actions - as described below - may constitute a criminal offence under the PDPA:

 

  • A person who processes personal data in a data filing system where such processing is forbidden or where he/she is not authorized to carry out such processing may be liable to a fine, a partial restriction of freedom, or imprisonment of up to two years (or three years if the processed personal data is sensitive);

  • A person who, being a data controller of a data filing system or being obliged to protect personal data, discloses it or provides access to unauthorized persons, may be liable to a fine, a restriction of liberty, or imprisonment of up to two years (or one year if the offence is unintentional);

  • A person who, being a data controller, violates, whether intentionally or unintentionally, an obligation to protect data against unauthorized takeover, damage or destruction, may be liable to a fine, a restriction of liberty, or imprisonment of up to one year;

  • A person who, being under an obligation to, fails to notify a data filing system for registration with the Inspector General, may be liable to a fine, a restriction of liberty, or imprisonment of up to one year;

  • A person who, being a data controller, fails to inform a data subject of his/her rights or provide him/her with information which would enable that person to benefit from the provisions of the PDPA may be liable to a fine, a partial restriction of freedom, or imprisonment of up to one year;

  • A person who prevents or hinders the performance of inspection activities conducted by the Inspector General (or its delegated inspectors) may be liable to a fine, a restriction of liberty, or imprisonment of up to two years.

The maximum fine applicable to the above criminal offences is PLN 1,080,000 (approx. EUR 230,000 as of January 2017). As criminal offences may only be prosecuted against individuals (and not against legal entities), the person usually facing potential criminal charges would be a member of the management board (usually the person performing the role of data controller in a legal entity) or an employee authorized to process personal data (e.g. a data protection officer or human resources officer).

Last modified 26 Jan 2017
Electronic Marketing

Electronic marketing activities are subject to the regulations of the PDPA, the Act of 18 July 2002 on Providing Services by Electronic Means (consolidated text: Journal of Laws of 2016, item 1030, hereinafter referred to as the "PSEM") and the Telecommunications Act.

The PDPA applies to electronic marketing activities if such activities involve processing of personal data (e.g. an e-mail address is likely to be considered personal data for the purposes of the PDPA). The PDPA lays down the grounds for processing of personal data for marketing purposes. According to the PDPA a data controller may process personal data if processing is necessary for the purpose of legitimate interests pursued by the data controllers provided that the processing does not violate the rights and freedoms of the data subject.

The legitimate interests includes direct marketing of own products or services provided by the data controller. Therefore, if marketing activities relate only to products and services owned by the data controller, consent for such processing should not be required. The data subject may always object to such processing. Nevertheless, if marketing activities relate to products and services of third parties, prior consent for such processing is necessary. In each case the data subject should be informed about processing of his/her personal data for marketing purposes.

Apart from consent for processing of personal data (if such consent is required), the PSEM imposes an obligation to obtain a separate consent for sending commercial information by electronic means, (e.g. emails and SMS) to the specified recipient who is an individual. Therefore, a service provider is obliged to obtain the relevant consent before sending the commercial information (via email or SMS) to a natural person. The consent is also required to send marketing information to a specific employee's business email address (such as name.surname@company.com). On the other hand, it is permitted to send such information without prior consent to recipients who are legal persons to a general email addresses (such as office@company.com). The consent shall not be presumed to be or be part of another statement of will and may be withdrawn at any time. Sending commercial information without consent is considered to be unfair competition practice. A service provider should be able to provide evidence that it has obtained consent.

The amendment to the Telecommunications Act implementing Directive 2002/65/EC and Directive 2002/58/EC came into force on 25 December 2014. The amended regulation prohibits the use of final telecommunications devices (such as fixedline telephones, cell phones, faxes, computers, etc.) and automated calling systems for direct marketing, unless a subscriber (understood as an entity who is a party to an agreement for the provision of telecommunications services concluded with a provider of publicly available telecommunications services) or end user (i.e. an entity using or requesting a publicly available telecommunications service to satisfy its own needs) has given prior consent to this. The regulation in the Telecommunications Act concerns all subscribers and end users (i.e. not only natural persons but also the legal persons).

Therefore, pursuant to the Telecommunications Act, using end telecommunications devices (for instance, to present a marketing offer during a telephone call) or automated calling systems for direct marketing requires the obtaining of another consent decision from the recipient (subscriber or end user). In practice, the relationship between the abovementioned regulations (especially between the provisions of PSEM and the Telecommunications Act) and the scope of particular consent decisions that should be obtained by service providers is not perfectly clear in this regard. However, it seems that, generally the consent for the use of end telecommunications devices and automated calling systems for direct marketing should be obtained separately from the consent for the processing of personal data (if required) and for the sending of commercial information by electronic means.

The consent of the subscriber or the end user:

  • may not be presumed or implied by a declaration of will of a different content
  • may be expressed by electronic means, provided that it is recorded and confirmed by the user, and
  • may be cancelled at any time, in a simple manner and free of charge.

Enforcement and sanctions

Failing to fulfill the obligations to obtain consent for using end telecommunications devices and automated calling systems for direct marketing may be subject to a fine of up to 3% of the revenues of the fined company for the past calendar year. The fine is imposed by the President of the Office of Electronic Communication (hereinafter referred to as the ‘President of OEC’). In addition, the President of OEC may impose a fine on a person holding a managerial position in the company (such as a member of the management board) of up to 300% of his/her monthly remuneration.

Sending marketing information by electronic means without the consent of the recipient may be subject to a fine of up to PLN 5,000 (approx. EUR 1,065 as of January 2017) under the provisions of PSEM and is considered to be an act of unfair competition (subject to separate regulations).

The regulations of the PDPA set out in the Enforcement section above may apply accordingly.

Last modified 26 Jan 2017
Online Privacy

The Telecommunications Act regulates the collection of transmission and location data and the use of cookies (and similar technologies). The amendment to the Telecommunications Act which implements Directive 2009/136/EC and Directive 2009/140/EC came into force on 21 January 2013, with the exception of the new provisions regarding cookies, which came into force by 22 March 2013.

Transmission data

The processing of transmission data (understood as data processed for the purpose of transferring messages within telecommunications networks or charging payments for telecommunications services, including location data, which should be understood as any data processed in a telecommunications network or as a part of telecommunications services indicating geographic location of terminal equipment of a user of publicly available telecommunications services) for marketing telecommunications services or for providing value-added services is permitted if the user (i.e. subscriber or end user) gives his/her consent.

Data about location

In order to use data about location (understood as location data beyond the data necessary for message transmission or billing), a provider of publicly available telecommunications services has to:

  • obtain the consent of the user to process data about location concerning this user, which may be withdrawn for a given period or in relation to a given call; or
     
  • perform the anonymisation of this data.

A provider of publicly available telecommunications services is obliged to inform the user, prior to receiving its consent, with regard to the type of data about location which is to be processed, with regard to the purpose and time of its processing, and whether this data is to be passed on to another entity in order to provide a value-added service.

Processing data about location may only be performed by entities that:

  • are authorised by a public telecommunications network operator
  • are authorised by a provider of publicly available telecommunications services,
  • provide a value-added service.

Data about location may be processed only for purposes necessary to provide value-added services.

Cookies

The use and storage of cookies and similar technologies is only allowed on the condition that:

  • the subscriber or the end user is directly informed in advance in an unambiguous, simple and understandable manner about:
    • the purpose of storing and the manner of gaining access to this information
    • the possibility to define the condition of the storing or the gaining of access to this information by using the settings of the software installed on his/her telecommunications terminal equipment or service configuration
  • the subscriber or end user, having obtained the information referred to above, gives his/her consent, and
  • the stored information or the gaining of access to this information does not cause changes in the configuration of the subscriber's or end user's telecommunications terminal equipment or in the software installed on this equipment.
     

The user may grant consent by using the settings of the software installed in the final telecommunications device used by him/her or by the service configuration.

Consent of the subscriber or end user is not required if storage or gaining access to cookies is necessary for:

  • transmitting a message using a public telecommunications network; or
     
  • delivering a service rendered electronically, as required by the subscriber or the end user.

Entities providing telecommunications services or services by electronic means may install software on the subscriber’s or end user’s terminal equipment intended for using these services or use this software, provided that the subscriber or end user:

  • is directly informed, before the installation of the software, in an unambiguous, simple and understandable manner, about the purpose of installing this software, and about the manner in which the service provider uses this software

  • is directly informed, in an unambiguous, simple and understandable manner, about the manner in which the software may be removed from the end user’s or subscriber’s terminal equipment, and

  • gives its consent for the installation and use of the software prior to its installation.

Enforcement and sanctions

A company that processes transmission data contrary to the Telecommunications Act or fails to fulfill obligations to obtain consent for processing data about location or storing and gaining access to cookies may be subject to a fine of up to 3% of the company’s revenues for the past calendar year. The fine is imposed by the President of OEC. In addition, the President of OEC may impose a fine on a person holding a managerial position in the company (such as a member of the management board)of up to 300% of his/her monthly remuneration.

The regulations of the PDPA set out in the Enforcement section above may apply accordingly.

Last modified 26 Jan 2017
Contacts
Ewa Kurowska-Tober
Ewa Kurowska-Tober
Partner, Head of IPT
T +48 22 540 74 1502
Łukasz Czynienik
Łukasz Czynienik
Senior Associate
T +48 22 540 74 67
Damian Karwala
Damian Karwala
Senior Associate
T +48 22 540 74 16
Last modified 26 Jan 2017