Introduction to the Polish data protection law regime

Data protection law regime in Poland, as a member of the European Union (hereafter referred as the EU), is mainly presented by national normative acts that correspond to the general EU data protection order. In 1997 Poland adopted the Personal Data Protection Act in order to implement provisions of the EU Data Protection Directive 95/46/ EC. A few years later, the Telecommunications Act of 16 July 2004 defined the processing of personal data by providers of publicly available telecommunications services. Since May 2018, the new Personal Data Protection Act (hereafter referred as the PDPA) came into legal force, implementing the General Data Protection Regulation 2016/679 (hereafter referred as GDPR) into Polish legal order.

With regard to PDPA, it is interesting to know that primarily Polish legislator prepared package of two draft acts on personal data protection. And if the first act has already entered into force, as it mentioned before, entry into force of the second draft has been delayed before spring 2019. This second act is dedicated to implement a number of amendments of sectoral (employment, banking and insurance) regulations. 

In general, the new PDPA reflects the key provisions of GDPR, although it has several distinctive features. First of all, in Poland a new supervisory authority is appointed. Now it is the President of the Office of Personal Data Protection (hereafter referred as the President) which replaced The Inspector General for Personal Data Protection since 25 May 2018.

The PDPA excludes the application of GDPR in cases where some special forces or entities of the public finance sector process data for the execution of tasks, which are aimed to ensure the national security. Furthermore, GDPR is also partially excluded from the application to the extent of editing, preparing or publishing press materials, as well as in scope of literary or artistic activities. The same is true for data controllers who perform public services.

In question of processing personal data about children Poland did not reduce the age as Member States may reduce it up to 13.

As a rule, there are only several occasions when information about criminal offences could be processed under GDPR:

  • it is accomplished under the control of official authority, or
  • the processing is authorized by EU or Member State law.

With new PDPA in Poland employers from the financial and banking sectors obtain a define right to check criminal records with respect to certain employees and potential job candidates, whose positions requiring access to confidential data or making risk-bearing decisions.

Another point is that generally a data controller must provide data subjects with a privacy notice in certain cases. However, the PDPA does not require that information provided to data subject was in Polish. Pursuant to the Act on Polish Language (October 7, 1999) all communications with the consumers must be in Polish. Consequently, any privacy notices also must be in Polish.

Regarding the notification of any personal data breach, the new data protection legislation empowered the President of Data Protection Office to introduce an online system allowing controllers to report on personal data breaches. Presently, the President published electronic forms relating to data breach notification.

The President of Data Protection Office, as a responsible authority to control the compliance with GDPR, is entitled to impose administrative fines pursuant to Article 83 of GDPR. The new PDPA prescribes fines for public authorities that cannot exceed PLN 100,000 (approx. EUR 25,000). Besides of that, this normative act also stipulates the criminal liability for individuals in the following cases:

  • a person who processes personal data unlawfully or without proper authorization may be liable to a fine, a partial restriction of freedom, or imprisonment of up to two years (or three years with regard to processing of certain personal data categories);
  • a person who prevents or deters the performance of inspection activities conducted by the President may be liable to a fine, a restriction of liberty, or imprisonment of up to two years.

Due to the fact that only natural person can be a subject to criminal liability, the person who may actually face criminal charges would be a member of the management board, namely the individual performing the role of data controller in a legal entity. The same person can be an employee authorized to process personal data, for instance, a data protection officer or human resources officer. In accordance with the latest available information the Polish supervisory authority has not imposed any fines yet.

Questions regarding Polish business or data protection law? We are happy to assist you with our partner:

Paulina Skwarek attorney at law