Poland - Data Protection Overview
1. Governing Texts
Data protection in Poland is primarily governed by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the Act of 10 May 2018 on the Protection of Personal Data (only available in Polish here) ('the Act').
The Act regulates procedural issues and other specific rules concerning, inter alia:
- the obligation of public bodies to designate a data protection officer ('DPO');
- the notification of the appointment of a DPO;
- the appointment of a 'deputy DPO' in the absence of the DPO;
- the accreditation of an entity authorised to grant certification;
- the entities authorised to monitor codes of conduct and certification;
- the approval of a code of conduct;
- the powers of the Polish Supervisory Authority ('the UODO');
- European administrative cooperation;
- civil liability, criminal liability, and administrative fines; and
- changes to the Labour Code of 1974 ('the Labour Code') on employee monitoring.
In addition, Act of 21 February 2019 Amending Sectoral Laws to Ensure Application of GDPR (only available in Polish here) ('the Amending Act') aimed at adjusting the Polish legal system to the requirements under the GDPR. It introduced changes to almost 170 separate sectoral acts, including:
- the Labour Code;
- Act of 29 August 1997 on Banking Law (only available in Polish here) ('the Banking Law');
- Act of 27 May 2004 on Investment Funds and Management of Alternative Investment Funds (only available in Polish here);
- Act of 1 March 2018 on Counteracting Money Laundering and Financing of Terrorism (only available in Polish here);
- Act of 18 July 2002 on the Provision of Electronic Services (only available in Polish here) ('the Act on Electronic Services');
- Act of 29 August 1997 on the Tax Code (only available in Polish here);
- Act of 19 August 2011 on Payment Services (only available in Polish here);
- Act of 10 April 1997 on Energy Law (only available in Polish here);
- Act of 14 June 1960 on the Code of Administrative Procedure (only available in Polish here); and
- Act of 11 September 2015 on Insurance and Reinsurance Activities (only available in Polish here).
To date, the following are the most prominent guidelines that have been issued by the UODO:
- guidance on how to apply a risk-based approach;
- the Revised list of data processing operations requiring a Data Protection Impact Assessment (only available in Polish here);
- guidelines on how to maintain records with templates for record of processing activities and record of all categories of processing activities carried out on behalf of a controller, with samples of completed templates;
- guidelines on CCTV (only available in Polish here);
- guidelines on data protection in the workplace;
- guidelines on processing personal data in schools and educational establishments;
- guidelines on controllers' obligations related to data breaches;
- guidelines on data protection in election campaigns; and
- security of personal data during remote learning.
1.3. Case law
Please see section on enforcement decisions below.
2. Scope of Application
According to Article 1 of the Act, it applies to the protection of natural persons with regard to the processing of personal data within the scope specified in Article 2 and Article 3 of the GDPR.
The Amending Act did not regulate this issue.
The Act explicitly incorporates Article 3 of the GDPR on the territorial scope of the GDPR.
The Amending Act did not provide modifications of the GDPR applicability provisions.
The Act refers explicitly to Article 2 of the GDPR. In the following parts of this Guidance Note, we describe some national law variations important for businesses.
In addition, national regulations on various types of secrecy (e.g. banking secrecy, communication secrecy) may affect the rules for personal data processing, in particular the legal bases for the processing.
3.1. Main regulator for data protection
The UODO is the main regulator for data protection in Poland. In addition, a violation of rules on direct marketing may result in action being taken by other authorities, such as the President of the Office of Competition and Consumer Protection or the President of the Office of Electronic Communications.
3.2. Main powers, duties and responsibilities
The rules of appointment and competencies of the UODO are provided in the Act, which mainly reiterates the powers, duties, and responsibilities set out in the GDPR.
Those powers, duties, and responsibilities include:
- conducting audits of compliance, conducting and issuing administrative decisions, informing about decisions where this is in the public interest;
- applying to the administrative courts for opinions under Article 267 of the Treaty on the Functioning of the European Union regarding the validity of decisions by the European Commission;
- asking other authorities to ensure effective personal data protection;
- providing opinions on proposed legal regulations on personal data;
- sharing Standard Contractual Clauses ('SCCs'), approved codes of conduct, standard data protection clauses, and recommendations on technical and organisational measures on its website;
- announcing a list of the types of processing that require (or do not require) a Data Protection Impact Assessment ('DPIA');
- approving Binding Corporate Rules ('BCRs');
- authorising appropriate safeguards under Article 46 of the GDPR;
- conducting prior consultations;
- demanding disciplinary or other legal proceedings against perpetrators of violations, and demanding notification within a specified time limit of the results of actions taken; and
- cooperating with other supervisory authorities.
Moreover, the Act establishes a Council for the Protection of Personal Data, which is a consultative and advisory body of the UODO.
4. Key Definitions
There are no national law variations regarding the below-listed definitions. The GDPR provisions apply.
Data protection officer: The inspector, in cases and under the principles set out in Article 37 of the GDPR (Article 8 of the Act).
5. Legal Bases
There are no national law variations in relation to consent as a legal basis.
However, the Labour Code provides for special rules regarding the processing of a candidate for work/employee data based on consent. These particular rules are described in section on legal bases in other instances below.
There are no national law variations in relation to the performance of a contract as a legal basis.
However, some legal acts, such as the Labour Code or the Banking Law, set out what data a controller is obliged to collect.
There are no national law variations in relation to legal obligation as a legal basis.
However, there are a number of provisions of law that provide legal obligations, as envisaged under Article 6(1)(c) of the GDPR.
There are no national law variations in relation to the protection of the interest of the data subject as a legal basis.
There are some situations where the Amending Act introduced derogations relating to Article 6(1)(e) in connection with Articles 6(2) and 6(3) of the GDPR addressed to public bodies. For example, in the case of the operation of the Environmental Protection Inspectorate, the Amending Act specified how data processing obligations must be fulfilled (e.g. method of providing the privacy notice, limitation of certain data subjects rights).
There are no national law variations in relation to legitimate interests as a legal basis.
Specific rules on processing employee data
Generally, according to the Labour Code, the employer is obliged to process the personal data of candidates/employees explicitly mentioned in the Labour Code and other laws, such as:
- Act of 13 October 1998 on Social Security (only available in Polish here);
- Act of 4 March 1994 on Social Benefits Fund (only available in Polish here); and
- Act of 4 October 2018 on Employee Capital Plans (only available in Polish here).
In addition, the employer may request other data if it is necessary to exercise a right or perform an obligation resulting from a legal provision.
In addition, the employer may collect and process data in order to perform the employment contract (e.g. related to remuneration) based on Article 6 (1)(b) of the GDPR or to pay taxes and social security contributions based on Article 6 (1)(c) of the GDPR. Consent and legitimate interest are also viable legal bases for processing employees' personal data.
Pursuant to the Labour Code, the employer can process personal data other than as specified in the labour law regulations (e.g. a person's image and interests) with the data subject's consent. Such data should be provided by the candidate or employee at the request of the (potential) employer or at their own initiative.
Consent cannot be a legal basis for processing personal data relating to criminal convictions and offences regulated in Article 10 of the GDPR. The only basis for such processing is the necessity for compliance with a legal obligation.
Processing of special categories of data by the employer can be based on consent only if the employee provides such data at their own initiative. Employers may also process employees' biometric data if it is necessary to ensure access control to particularly important information or to the premises requiring special protection.
Those employees who will be processing special categories of data should be granted a written authorisation to do so and should be obliged to maintain confidentiality.
Under the Labour Code, the lack of consent for processing data or its withdrawal may not be the basis for disadvantageous treatment of the candidate or of an employee, and it may not cause any negative consequences for these persons. In particular, it may not constitute a reason justifying the refusal of employment, notice of an employment contract, or its termination without notice by an employer.
Additionally, the Labour Code regulates employee monitoring (i.e. CCTV, email monitoring, and other monitoring measures). It is possible to monitor employees based on the employer's legitimate interest provided that the following requirements are cumulatively met (according to the type of monitoring activities):
- the purposes for CCTV may include the necessity to ensure the safety of employees or to protect property, to control production, to keep secret information whose disclosure could expose an employer to damages;
- the purposes for email and other forms of monitoring (e.g. monitoring of phone calls, logs from Radio Frequency Identification ('RFID') cards, business devices, location and safe driving, network activity, visited websites, billings, etc.) may include the necessity to ensure an organisation of work that enables the full use of the working time, and the proper use of the work tools made available to the employee (e.g. whether the employee is using the email account as instructed, in particular in terms of assuring security). Only two purposes are mentioned in the Labour Code, but in our opinion, these purposes should be interpreted broadly. It is currently not clear if employers can monitor employees for other purposes;
- the purpose, scope, and methods of monitoring should be described in the work regulations, in the Corporate Collective Labour Agreement ('CCLA'), or in an announcement (if there are no work regulations or CCLA). If trade unions operate at the employer, a change to the work regulations or CCLA will require cooperation with trade unions;
- the employer is obliged to inform its employees on the implementation of monitoring, in the manner it has approved, no later than two weeks before it is launched;
- the employer is obliged to provide new employees with written information regarding the purpose, scope, and methods of monitoring before admitting them to work;
- monitoring should not violate the confidentiality of correspondence and other personal rights of an employee (e.g. private emails of employees should not be monitored);
- in case of CCTV, the employer has to comply with requirements regarding the location of CCTV cameras (generally CCTV cameras should not be installed in restrooms, locker rooms, canteens, and smoking rooms, as well as in premises made available to trade unions);
- the employer can retain CCTV records for up to three months, unless recordings are used as evidence in proceedings conducted under the law, or the employer has knowledge that they can be evidence in the proceedings;
- the employer is obliged to mark monitored premises and areas in a visible, legible manner by means of appropriate signs or audio notices, no later than one day before monitoring is launched at the workplace; and
- the other principles described in the GDPR should be observed, including principles of purpose limitation and data minimisation.
Monitoring of sanitary rooms requires prior approval of trade unions or if there are no trade unions, prior consent of employee representatives selected in a manner adopted by the employer.
Specific rules on direct marketing
Under Polish law, direct marketing has to be considered from a number of perspectives:
- the data protection perspective;
- the perspective of the Act on Electronic Services (in relation to sending marketing information in the form of emails, SMS/MMS messages, and push notifications via apps and websites); and
- the Telecommunications Act of 16 July 2004 ('the Telecommunications Act') (in relation to marketing via phone, emails, SMS/MMS messages, and push notifications via apps and websites).
The data protection perspective
Under the data protection regulations, marketing can be delivered based on consent or legitimate interest.
Direct marketing based on the Electronic Provision of Services Act
In order to send commercial information addressed to a specific natural person by electronic means of communication, such as texts, emails, or push notifications via apps and websites, the consent of the recipient is required. The consent needs to meet the GDPR requirements.
In addition, the Act on Electronic Services was revised under the Amendment Act. The amendment provides that providers of information society services must seek a user's consent for the processing of their personal data where this goes beyond what is necessary to provide such services for the purposes of:
- advertising; or
- market research or analysing the user's behaviour or preferences with a view to improving the quality of information society services.
It is unclear what data should be considered as necessary to provide information society services and therefore when consent needs to be sought. Most data protection experts believe that the above legislation is in breach of Article 6 of the GDPR, since it introduces more specific rules on the lawfulness of processing without there being grounds for such derogation in the GDPR itself. The UODO is silent on this point.
Direct marketing based on the Telecommunications Act
The Telecommunications Act regulates, in particular, sending marketing information via telecommunications terminal equipment and marketing calls. This covers in particular:
- SMS/MMS messages; and
- emails and phone calls, including via automated calling systems.
Thus, in Poland two acts regulate the same issue of sending direct marketing via emails and texts. The Telecommunications Act requires that a separate consent of the end-user is sought for sending marketing information via telecommunications terminal equipment and marketing calls (including via automated calling systems). The consent needs to meet the GDPR requirements. Accordingly, in order to conduct marketing activities in full compliance with the Act on Electronic Services and the Telecommunications Act, two separate consents are required (one for sending marketing information and one for the use of telecommunications terminal equipment and automated calling systems) on top of any consent required from the data protection perspective (according to the interpretations of the UODO and the Office of Electronic Communication). However, this is usually not done in practice. Organisations often collect just one consent for marketing communication or for specific communication channels.
The Act on Electronic Services and the Telecommunication Act partially implemented the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive'), in the 'opt in' and not the 'opt out' model.
The Draft Act will replace the direct marketing regulations in the Act on Electronic Services and the Telecommunications Act. Under the Draft Act, the prior consent of the subscribers and end user is required for sending commercial information, including direct marketing via telecommunications terminal equipment.
The consent will need to meet the GDPR requirements. However, it may also be collected by way of disclosing the identifying electronic address by the subscribers or end user in order to send them the commercial information.
Specific rules on cookies
According to Article 173 of the Telecommunications Act, consent for cookies may be expressed by adjusting the settings of the software installed in the telecommunications terminal equipment used by that subscriber or end-user, or by adjusting the configuration of the service (e.g. by browser settings).
Although according to Article 174 of the Telecommunications Act, cookie consent should be interpreted in line with the GDPR consent requirements, still some publishers obtain implied consent (e.g. provided by further use of the website) by reference to Article 173 of the Telecommunications Act.
According to a UODO decision (issued at the end of 2021), the consent provided via browser settings without the user's active action was considered invalid, as it did not meet the GDPR requirements. Subsequently, UODO ordered the deletion of the IP address and Cookie ID, but no administrative fine was imposed. The decision has been contested by the controller and the court repealed it (for reasons other than related to consent).
The Telecommunications Act also requires that, prior to giving consent, the user is informed expressly, in an unambiguous, simple, and comprehensible manner, about:
- the purpose of the storing and accessing non-essential cookies; and
- the possibility of adjusting the settings of the software installed in the telecommunications terminal equipment used by that subscriber or end user or by adjusting the configuration of the service (e.g., by way of browser settings).
The Draft Act provides for similar regulations on cookies that are currently in the Telecommunications Act.
Processing for scientific or historical research purposes
The Act does not regulate legal grounds for personal data processing. However, some Polish sectoral acts provide specific legal bases for various processing activities.
The Amending Act introduced changes to the following acts in order to implement Article 89 of the GDPR:
- Act of 29 June 1995 on Public Statistics (only available in Polish here), including inter alia the exclusion of the application of Articles 15, 16, 18, and 21 of the GDPR;
- Act of 20 July 2018 on Higher Education and Science (only available in Polish here), regulating data processing for scientific research purposes, including inter alia the exclusion of the application of Articles 15, 16, 18, and 21 GDPR in specific situations. These changes apply only to entities and institutions listed in this act. Additionally, under those changes specific security measures need to be implemented for personal data processing in relation to scientific research;
- Act of 14 July 1983 on the National Archival Resources and Archives (only available in Polish here), including inter alia the limitation of the application of Articles 16 and 18 of the GDPR; and
- Act of 28 April 2011 on the Information System in Health Care (only available in Polish here), regulating that data included in medical records can be made available for the purpose of conducting scientific research and for statistical purposes only in anonymised form.
There are no national law variations regarding the principles relating to personal data processing.
7. Controller and Processor Obligations
There are no national specific notification or registration requirements, except for the requirement to notify the appointment of a DPO / deputy DPO as described in section on DPO appointment.
There are no national law variations regarding data transfers.
In most cases, national law does not require storing (business) data or documentation within the territory of Poland. However, there are some exceptions to this rule, for example:
- documentation containing classified information or state secrecy; and
- specific telecommunication data in the case of operators of a public telecommunications network and providers of publicly available telecommunications services.
There are no national law variations regarding data processing records.
There are no national law variations regarding carrying out a DPIA.
There is no list of activities subject to prior consultation or authorisation. The UODO has published the amended list of types of processing activities for which carrying out a DPIA is required in the Poland Blacklist which states that, as a rule, the processing which meets at least two of the below mentioned criteria will require a DPIA:
- evaluation or assessment, including profiling and prediction (behavioural analysis) for the purposes, which can produce negative legal, physical and financial effects, or other inconveniences for individuals;
- automated decision-making producing legal, financial or similar significant effects;
- systematic monitoring of publicly accessible areas on a large-scale using elements of recognition of characteristics or properties of objects, which are present in the monitored area. This group of systems does not include video surveillance systems, in which image is recorded and used only in case of the need for analysis of incidents of breach of law;
- processing of special categories of personal data and personal data relating to criminal convictions and offences;
- processing of biometric data for the purpose of uniquely identifying a natural person or verifying access control;
- processing of genetic data;
- data processed on a large scale, where the notion of large-scale concerns:
- the number of persons whose data are processed;
- the scope of processing;
- the data storage period and;
- the geographical scope of processing;
- making comparisons, evaluating or drawing conclusions based on analysis of data obtained from various sources;
- processing of data concerning persons, whose evaluation and the services provided to them depend on the entities or persons, which have supervisory and/or evaluating powers;
- innovative use or application of technological or organisational solutions;
- in case where the processing itself prevents data subjects from exercising a right or using a service or a contract; and
- processing of location data.
Moreover, the UODO has not provided any predetermined low-impact activities that are exempt from a DPIA.
How to conduct a DPIA
Page 33 of the Guidance Part 2 includes a diagram with steps for carrying out a DPIA, while pages 36 and 37 contains a chart outlining the process for carrying out a DPIA, and a table with an example of applying the risk-based approach in a processing activity.
Additionally, the UODO has not issued any templates or checklists on conducting a DPIA. However, the UODO had endorsed the French data protection authority's ('CNIL') Privacy Impact Assessment ('PIA') tool, and noted that the Polish translation was approved by the UODO. The CNIL's PIA assessment tool can be accessed online here or here, or downloaded for Windows here, for Mac OS here, and for Linux here. Please note that CNIL announced, on 24 June 2020, that it had launched an updated PIA assessment tool, which can be accessed online here and here, or downloaded for Windows here, for Mac OS here, and for Linux here (press release only available in French here).
Under the Act, not only data controllers but also data processors may request prior consultation (Article 57(1) of the Act) from the UODO. In line with the prior consultation guidelines (only available in Polish here) ('the Prior Consultation Guidelines'), a request for prior consultation can be made through submitting an electronic form for prior consultation. In order to submit the form, it is necessary to create an account and a trusted profile on ePUAP. The form can be submitted through the Electronic Platform of Public Administration Services ('ePUAP') platform (only available in Polish here).
The Prior Consultation Guidelines specify that the form must satisfy the requirements set out in Article 63 of the Act of 14 June 1960, Code of Administrative Procedure (only available in Polish here) ('the Administrative Procedure Code'). The Prior Consultation Guidelines highlight that in addition to the information specified in Article 36(3) of the GDPR, the form should include at least the following information: indication of a person who is submitting the form, their address, and request, as well as their signature. Furthermore, the Prior Consultation Guidelines outline that the electronically submitted form must include a secure electronic signature or verified with the ePUAP trusted profile (Article 63(3)(a) of the Administrative Procedure Code).
In addition, the Prior Consultation Guidelines state that in case the form is submitted by proxy, it should also include power of attorney, in line with Article 33(3) and (3a) of the Administrative Procedure Code, as well as proof of payment of administrative costs of PLN 17 (approx. €4), in line with Article 3(1) of the Regulation of the Minister of Finance of 28 September 2007 on the Payment of Administrative Costs (only available in Polish here).
During the procedure conducted under prior consultation, the President of the UODO may request applicants to provide additional information necessary for the purposes of consultation (Article 36(2) of the GDPR).
The Prior Consultation Guidelines specify that if the submitted form indicates that the DPIA does not indicate a high risk, or if the submitted form does not fulfil the requirements of Article 36(3) of the GDPR and Article 63 of the Administrative Procedure Code, the President of UODO will inform the person requesting prior consultation of the refusal to consult, specifying the reasons for the refusal (Article 57(3) of the Act).
Public organisations that are under an obligation to appoint a DPO include: entities in the public finances sector, research institutes, and the National Bank of Poland (Article 9 of the Act).
In accordance with the DPO Appointment Guidelines, appointment of more than one DPO is not allowed. Furthermore, it should be clear to individuals internally (i.e. employees who are involved in the data processing) and externally (i.e. data subjects and the UODO) who performs the function of a DPO and is responsible for the monitoring of compliance of the processing of personal data with the law.
The DPO Guidance provides that no legal person can perform the functions of a DPO and that while the law does not contain a prohibition regarding related parties being designated as DPOs, the DPO Guidance states that it is necessary to carefully analyse and assess whether specific family relationships will not affect the performance of the tasks and duties of the DPO in an independent manner and will not cause conflicts of interest as Article 38(6) of the GDPR provides. Nonetheless, the DPO Guidance states that a lawyer can still be a DPO.
Joint function as a proxy for the protection of classified information
The DPO Appointment Guidelines specify that a DPO may also perform the role of a proxy for the protection of classified information, whose task is to oversee compliance with rules on the protection of classified information, in line with the Act of 5 August 2010 on the Protection of Classified Information (only available in Polish here). Performing both roles cannot be detrimental to a DPO's independence and position in the structure of the organisation, nor lead to a conflict of interests as specified in the GDPR.
Joint function as a line manager
In line with the DPO Appointment Guidelines, performing the role of both a line manager and a DPO requires an assessment of the possibility of a conflict of interest which takes into account the following criteria:
- organisational: a DPO should be directly subordinate to the top management of the organisation;
- substantive: additional responsibilities should not negatively impact the independence of a DPO; and
- timing: a DPO should have sufficient time to perform their tasks, taking into account factors such as the quantity and complexity of their duties.
Joint function as an ASI
The DPO Appointment Guidelines outline that the tasks of an IT system administrator ('ASI') include administration of servers used for data processing, implementation of IT system security measures, detection of unauthorised access to the system, and configuration of user accounts. Taking into account the nature of an ASI's tasks, assigning a joint function of an ASI and a DPO to one person may lead to a conflict of interests or negatively impact their independence, contrary to the GDPR.
In particular, the DPO Appointment Guidelines highlight that, under Article 38(3) of the GDPR, a DPO may not be subordinate to anyone within an organisation apart from top management. Therefore, in the UODO's view, assigning a joint function of a DPO and an ASI to one person requires that they are not subordinate to, e.g. an IT manager or anyone else apart from top management. In this regard, the UODO noted that when assigning the position of an ASI and a DPO to one person, the data controller should make an individual assessment of the applicable circumstances and continuously monitor the possibility of a conflict of interests arising.
Register of processing
The DPO Tasks Guidelines highlight that, despite the fact that the obligation to maintain a register of processing under Article 30 of the GDPR is a responsibility of data controllers and data processors, the knowledge and skills of a DPO imply that they may be involved in the process of creating and maintaining the register of processing, as well as use it in the performance of their tasks. In addition, the DPO Tasks Guidelines outline that a DPO may support the data controller or the data processor in the creation and maintenance of a register of processing by, for instance, gathering information for the purpose of identification of the processing activities.
The DPO Tasks Guidelines specify that since a works council operates as a data controller independent from an employer, an employer's DPO is not under an obligation to also act as a DPO for the works council, unless other arrangements are put in place.
Cooperation with UODO
DPOs can contact the UODO with questions relating to the applicable data protection rules through a specially established hotline, as explained on UODO's website (only available in Polish here). Furthermore, the UODO has issued a newsletter for DPOs, which can be subscribed to on UODO's website (only available in Polish here).
In line with the DPO Appointment Guidelines, the function of a DPO in Poland may be performed by a foreigner. However, the UODO notes that, in line with the guidelines, a data controller is obliged to ensure effective communication between a DPO and the UODO, as well as data subjects, in Polish. Moreover, the Amending Act has introduced an additional role, a deputy DPO, who acts in the absence of the DPO. The requirements for a deputy DPO's position, notification, and publishing of contact details requirements are the same as in the case of designating the DPO.
Furthermore, the DPO Tasks Guidelines highlight that a DPO is not entitled to grant authorisations for the processing of personal data, as this could potentially create a conflict of interest.
The Act introduces an obligation to notify the UODO about the designation of a DPO within 14 days following the appointment or of any changes to the DPO. Moreover, a company that designates a DPO is obliged to publish the DPO's contact details, including name, surname, email address or phone number, on its website or, in the absence of a website, in a manner generally accessible at its place of business (Article 11 of the Act). It is market practice to provide the DPO's email address rather than their phone number. It should be noted that an organisation may choose whether it prefers to publish on its website information about the appointed DPO's e-mail address or phone number, it is not necessary to publish both.
In addition, a change of DPO details, as well as dismissal of a DPO, should also be communicated to the President of UODO within 14 days. In case a group of undertakings appoints a single DPO, each of the undertakings must notify their DPO contact details separately (Article 10 of the Act).
In line with the DPO Notification Guidelines, the only method for notification of appointment, dismissal, or change of details of a DPO to the UODO is electronic notification, which must include an electronic signature (guidance on which can be accessed here, only available in Polish) confirmed with an ePUAP trusted profile. The notification form should be sent in Polish.
Moreover, notification can be made through the Ministry of Entrepreneurship and Technology's website biznes.gov.pl. A DPO appointment notification form is available here, a DPO change of contact details notification form here, a DPO dismissal notification form here, and a DPO dismissal and new DPO appointment notification form here. Alternatively, forms can be sent through epuap.gov.pl. The forms are available, only available in Polish here.
The DPO Notification Guidelines also specify that notification of a DPO can be made by proxy through power of attorney, which should be granted in an electronic form (Article 10(2) of the Act), which includes an electronic signature, confirmed with the ePUAP trusted profile, of a person authorised to represent the data controller. Administrative costs of PLN 17 (approx. €4) for the power of attorney can be paid to UODO via bank transfer.
If at a group level DPO is appointed, and the DPO function is meant to cover Poland as well, the global DPO must be notified to the UODO.
The DPO Appointment Guidelines highlight that the GDPR and the guidelines do not specify a limit of how many organisations may appoint a single DPO. The DPO Appointment Guidelines outline that a group of organisations may only appoint a single DPO in justified circumstances and that this should be within reasonable limits. To assess this, a number of aspects should be taken into account, including the availability of a DPO, their capability to gain in-depth knowledge about the functioning of an organisation, having sufficient time to perform their tasks, avoiding a conflict of interests, as well as the size and organisational structure of the organisation that is the data controller. This requires a case-by-case assessment.
There is no general national notification variation or exemption. A breach notification form is available in Polish here. Notification must be submitted electronically in Polish.
In Poland, there are several statutory minimum or maximum retention periods set out by law. In other cases, retention periods must be established based on the GDPR storage limitation principle stating that personal data should not be retained for longer than it is necessary for the purpose. In general, the UODO has not issued specific guidelines on the subject.
Examples of retention periods set out by law include:
- employee documentation for ten to 50 years (depending on the particular circumstances);
- accidents and injury at work documentation for ten years from making the files;
- employee CCTV recordings for three months from the date of recording (if the recorded event is subject to further proceedings, as long as the event is fully explained); and
- tax documentation for five years from the end of the calendar year in which tax payment was due.
In the case of personal data processing in relation to journalistic, artistic, or literary activity, Article 5 of the GDPR, regulating inter alia the storage limitation principle, does not apply.
The national regulations do not change the age of consent specified in the GDPR. In the case of services provided via electronic means (online services), minors may consent to the processing of their personal data on their own when they reach the age of 16.
In other contexts, if the minor is above the age of 13, both a legal representative (e.g. parent) and the minor need to consent to the processing of the minor's personal data, or the legal representative may consent on behalf of the minor. If the minor is below the age of 13, only the legal representative may consent to the processing of the minor's personal data.
There are no general national rules on the processing of special categories of data or criminal conviction data, but some specific variations or exclusions are provided in Polish regulations. These specific provisions primarily apply to public bodies and provide a legal basis for processing special categories of data or criminal conviction data and further conditions to do so.
Examples of regulations applicable to the private sector include:
- Act of 11 September 2015 on Insurance and Reinsurance (only available in Polish here), under which insurance companies may process special categories of personal data, including health data, in order to assess insurance risk and to perform a contract; and
- Act of 11 September 2019 Public Procurement Law (only available in Polish here), regarding the obligation to provide criminal conviction data in certain situations.
In some cases, Polish regulations require specific security measures to protect special categories of personal data or criminal conviction data. The main security measures for the processing of special categories of personal data or criminal conviction data are that only persons appropriately authorised in writing who are obliged to maintain confidentiality may process special categories of personal data (e.g. persons processing employees' special categories of data) or criminal conviction data (e.g. persons processing criminal conviction data in proceedings for concession contract for construction works or services).
Specific rules for the processing of special categories of employee data are described in section on legal bases in other instances above.
There are no national law variations regarding data processing agreements and cooperation between a controller and processor.
8. Data Subject Rights
Under the Act, in case of personal data processing in relation to journalistic, artistic, or literary activity, Articles 13 and 14 of the GDPR do not apply. Additionally, in the case of personal data processing in relation to academic expression, Article 13 of the GDPR does not apply.
The controller is exempt from information provision obligations under Articles 13(3), 14(1), (2), and (4) of the GDPR if:
- the controller performs a public task;
- the processing serves to perform such a task; and
- it is necessary to achieve the objectives stipulated in Article 23(1) of the GDPR, as well as other conditions set out in Articles 3 and 4 of the Act are met.
The Amending Act provided changes in a number of acts and excludes public bodies from the obligation to provide individual information to data subjects. Instead, public bodies are obliged to publish public information on their websites or put information up in a visible place in the building where they operate.
In addition, the Amending Act introduced other specific regulations regarding the right to be informed, e.g. changes provided to the Act of 30 May 2014 on Consumers Rights (only available in Polish here) enable micro-entrepreneurs to provide a privacy notice under Article 13 of GDPR by hanging it in the business premises in a visible place or providing relevant information on its website.
This exemption does not apply if:
- the data subject does not have the opportunity to become acquainted with the privacy notice;
- the data controller processes the data referred to in Article 9(1) of the GDPR (i.e. special category data); and
- the data controller discloses data referred to in Article 9(1) of the GDPR (i.e. special category data), except when such disclosure is based on consent or the fulfilment of a legal obligation.
Under the Act, in case of personal data processing in relation to journalistic, artistic, or literary activity, Article 15 of the GDPR does not apply. Additionally, in the case of personal data processing in relation to academic expression, Articles 15(3) and 15(4) of the GDPR do not apply.
Controllers performing a public task are exempted from providing data subjects with the information specified in Articles 15(1) to (3) of the GDPR if not providing such information is necessary to achieve the objectives stipulated in Article 23(1) of the GDPR and other conditions set out in Article 5 of the Act are met.
Under the Act, the controllers receiving data from an entity performing a public task are exempt from providing the information specified in Articles 15 (1) to (3) of the GDPR if the entity made a request under the necessity to properly perform a public task aimed at, in particular, prevention, investigation, detection, or prosecution of criminal offences.
In addition, the Amending Act introduced other specific regulations regarding the right to access, e.g. in case of personal data processing by:
- financial sector entities to the extent that it is necessary for the proper performance of their tasks related to counteracting money laundering and financing of terrorism, as well as preventing other crimes (e.g. banks, insurers, investment funds, etc.), in which case all the rights described in Article 15 of the GDPR are exempt; and
- persons performing the professions of attorney-at-law, notary, tax advisor, sworn translator, and an employee of the General Counsel to the Republic of Poland ('the Professions'), in which case the Amending Act limited the application of Articles 15(1) and 15(3) of the GDPR due to the obligation of secrecy imposed upon them.
Under the Act, in case of personal data processing in relation to journalistic, artistic, or literary activity, Article 16 of the GDPR does not apply.
In addition, the Amending Act introduced other specific regulations regarding the right to rectification. For example, in the case of personal data processing for public statistics purposes, the Amending Act excluded the application of Article 16 of the GDPR.
There are no national law variations regarding the right to erasure.
Under the Act, in case of personal data processing in relation to journalistic, artistic, or literary activity, Article 21 of the GDPR does not apply.
In addition, the Amending Act introduced other specific regulations regarding the right to object. For example, in the case of personal data processing by persons performing the Professions (see section on the right to access above), the Amending Act excluded the application of Article 21(1) of the GDPR due to the obligation of secrecy imposed upon them.
Under the Act, in case of personal data processing in relation to journalistic, artistic, or literary activity, Article 20 of the GDPR does not apply.
Under the Act, in case of personal data processing in relation to journalistic, artistic, or literary activity, Article 22 of the GDPR does not apply.
In addition, the Amending Act introduced a number of possibilities to perform automated decision-making, including profiling, and excludes the data subject's right not to be subject to such decision-making, in particular in case of personal data processing by:
- banks and other entities granting credits in order to assess credit standing and credit risk;
- insurers in order to assess insurance risk and perform other insurance operations; and
- the General Inspectorate of Road Transport in connection with using traffic enforcement cameras.
However, additional requirements need to be met by the abovementioned controllers.
Under the Act, in case of personal data processing in relation to journalistic, artistic, or literary activity, Articles 18 and 19 of the GDPR do not apply. Additionally, in the case of personal data processing in relation to academic expression, Article 18 of the GDPR does not apply.
In addition, the Amending Act introduced other specific regulations regarding the rights under the GDPR. For example, in the case of personal data processing by persons performing the Professions (see section on the right to access above), the Amending Act limited the application of Articles 18 and 19 of the GDPR due to the obligation of secrecy imposed upon them.
A limitation on administrative fines for public bodies was introduced of up to PLN 100,000 (approx. €21,330), or up to PLN 10,000 (approx. €2,130) for cultural institutions.
In addition to the sanctions applicable under the GDPR, the Act provides criminal liability. Unpermitted or unauthorised processing of personal data, jeopardising or impeding an audit by the UODO, or failure to provide the UODO with data necessary to determine the basis for an administrative fine may entail criminal liability (e.g. a fine, restriction of personal liberty, or imprisonment of up to three years).
The Amending Act provided changes to the Act of 6 June 1997 Penal Code (only available in Polish here) that penalises the threat of causing criminal proceedings or other proceedings in which an administrative pecuniary penalty may be imposed. The change is aimed at counteracting GDPR frauds.
Decisions issued by the UODO can be accessed online (only available in Polish here). The UODO carries out audits in accordance with its annual audit plans and outside the scope of its audit plan.
The audit plan for 2023 envisages audits regarding:
- authorities processing personal data in the Schengen Information System and Visa Information System with regard to the processing of SIS/VIS personal data on the basis of the provisions of the Act of 24 August 2007 on the participation of the Republic of Poland in the Schengen Information System and Visa Information System (available only in Polish here), implementing acts and European Union regulations;
- entities processing personal data through mobile applications with regard to the method of securing and sharing data in connection with the use of such applications;
- entities processing personal data through Internet (web) applications with regard to the method of securing and sharing data in connection with the use of such applications.
To date, the UODO has issued over 40 decisions involving administrative fines for various types of non-compliance with the GDPR, such as:
- not providing information required under Article 14 of the GDPR;
- data breaches that resulted in data leakage;
- failure to provide a mechanism for withdrawal of consent;
- lack of cooperation with the UODO;
- the absence of an agreement with a data processor and failure to update the register of processing activities;
- implementing inappropriate technical and organisational measures ('TOMs'l), and
- other related violations of personal data protection principles.
The below table presents details of notable decisions/case law:
Date of the decision
Amount of the fine
Description of the UODO's decision
15 March 2019
Approximately PLN 1 million (approx. €213,380)
The fine was imposed on a data broker for not providing approximately six million sole traders with its privacy notice.
On 11 December 2019, the Provincial Administrative Court in Warsaw ('the Administrative Court') annulled the fine. The Administrative Court decided that the UODO should reassess the case. Since this reassessment may have a bearing on the amount of the fine, the fine was annulled. The judgement is not final.
10 September 2019
The amount exceeded PLN 2.8 million (approx. €597,450)
The fine was imposed on Morele.net, a major e-commerce retail platform, for its failure to put in place appropriate safeguards against unauthorised access to personal data. Morele.net suffered a major hackers' attack, resulting in data relating to 2.2 million of its clients being harvested by attackers. The harvested data was then used to carry out spear phishing and was published online.
On 3 September 2020, the Administrative Court upheld the fine imposed by the UODO. The judgement is not final.
18 October 2019
PLN 40,000 (approx. €8,530)
[maximum penalty for public authorities is PLN 100,000 (approx. €21,330)]
The fine was imposed on the mayor of a city for, inter alia, lack of data processing agreement, processing personal data longer than the retention period set by law, publishing city council meetings on YouTube only (without any backup solutions, which could result in them being unavailable or lost), and not having information on all recipients and retention periods entered in the register of processing activities.
On 26 August 2020, the Administrative Court upheld the fine imposed by the UODO. The judgement is not final.
16 October 2019
The amount exceeded PLN 201,000 (approx. €42,890)
The fine was imposed on a direct marketing provider for failure to facilitate users to unsubscribe from direct marketing (withdraw their consent) and to exercise their right of data erasure.
On 10 February 2021, the Administrative Court upheld the fine imposed by the UODO. The judgement is not final.
9 March 2020
PLN 20,000 (approx. €4,430)
The fine was imposed for making it impossible to carry out the inspection. The UODO notified the company of its intention to carry out an inspection in the company's office. At the announced time of the inspection, not a single company officer or staff member was present at the office. When the UODO set a further date for the inspection, the company continued this curious game of hide-and-seek. In addition, the company cancelled the lease of its office premises where the inspection was to be carried out, and the company's shareholders decided to wind up the business.
The decision is only available in Polish here.
29 May 2020
PLN 15,000 (approx. €3,320)
The fine was imposed for failing to provide the UODO with access to personal data and other information necessary to perform its tasks. Following a complaint from an individual (initially lodged with the Rhineland-Palatinate data protection authority, but then referred to the UODO), the UODO repeatedly requested that the company explain and justify its data handling practices. The company either failed to respond or gave vague, self-contradictory, or unsatisfactory answers.
On 26 January 2021, the Administrative Court upheld the fine imposed by the UODO. The judgement is final.
3 June 2020
PLN 5,000 (approx. €1,060)
The fine was imposed for lack of cooperation with the UODO. Following a data breach notification made by a private owner of a nursery, the UODO repeatedly requested a copy of the communication that the owner purported to have conveyed to the individuals affected. The requests were sent in letters to the owner's listed address for service of correspondence and the address of her principal place of business. The owner failed to collect most of the letters. The one letter that she collected, however, remained unanswered.
The decision is only available in Polish here.
21 August 2020
PLN 50,000 (approx. €10,670)
The fine was imposed on a state-owned university for its failure to comply with a number of obligations under the GDPR, which came to light after a major data breach and a subsequent inspection by the UODO. A university employee was using his private laptop for work-related purposes without being authorised to do so under the university's policies. The laptop held a copy of a considerable portion of the university's database, including personal data relating to approximately 100,000 applicants who had applied to the university over the last five years. The laptop was stolen, which led to loss of the confidentiality of 81,624 records. After the breach was notified, the UODO inspected the university's premises and databases. It found that a number of infringements overlapped in this instance. The university had failed to: implement safeguards against its databases; implement a mechanism for traceability of event, including extractions, concerning its databases; ensure its BYOD policies were complied with; and ensure that university applicants' personal data was erased from all locations upon expiration of the applicable retention periods.
On 13 May 2021, the Administrative Court upheld the fine imposed by the UODO. The judgement is not final.
3 December 2020
16 November 2022
PLN 1.9 million (approx. €405,410)
Approximately PLN 1.6 million (approx. €341,400)
The fine was imposed for not implementing appropriate TOMs to ensure the security of the data processed. This came to light after a data breach and a subsequent inspection by the UODO. The UODO established that the company did not conduct regular and comprehensive tests or measurements and evaluations of its TOMs. The company only tested its security measures where suspicions of a vulnerability emerged or in connection with organisational changes. In particular, the company did not conduct tests for vulnerabilities related to the transfer of data between applications used to servicing clients buying pre-paid services. In such circumstances, the unauthorised person took advantage of the vulnerability related to the data exchange between these systems to obtain data of some of the company's clients.
On 21 October 2021, the Administrative Court annulled the fine imposed by the UODO. The judgement is final.
The UODO once again investigated the case and again found that the company failed to implement appropriate TOMs to ensure security of data processed.
The decision is only available in Polish here.
9 December 2020
PLN 85,588 (approx. €18,260)
The fine was imposed on an insurance and reinsurance company for not notifying a personal data breach to the UODO without undue delay. The data breach consisted of sending an email containing an insurance policy by the insurance agent, acting as the company's processor, to an unauthorised recipient. The insurance policy contained various data, including, inter alia, names, addresses, and national identification numbers. The UODO received information on the data breach from the unauthorised recipient of the email. As a consequence, the UODO requested the company to clarify whether it carried out the risk assessment enabling it to decide whether the data breach should be notified to the UODO, and data subjects affected by the breach. The company confirmed that it carried out such assessment and that, based on the assessment, it found that the breach was not required to be notified to the UODO and data subjects due to the low risk to the rights and freedoms of data subjects. The UODO disagreed with this approach, because it found that the risk to such rights and freedoms was high, and both the UODO and data subjects should therefore have been notified.
The decision is only available in Polish here.
5 January 2021
PLN 85,000 (approx. €18,140)
The fine was imposed on an entrepreneur operating in the healthcare industry for non-compliance with an order imposed on it in a UODO decision. The UODO ordered the entrepreneur to inform data subjects about a data breach that had affected their data and to make recommendations on how to minimise the potential negative effects of the breach. The entrepreneur did not comply with the order. This was revealed in an inspection by the UODO aimed at verifying whether the obligations imposed in the decision had been fulfilled.
The decision is only available in Polish here.
11 January 2021
PLN 136,000 (approx. €29,020)
The fine was imposed on a company in the power industry for its failure to notify a personal data breach to the UODO. The breach involved an email sent to an unauthorised recipient with an unprotected attachment containing the personal data of several hundred people. The UODO found out about the breach from the unauthorised recipient of the email.
The decision is only available in Polish here.
22 April 2021
PLN 1.1 million (approx. €234,710)
The fine was imposed on a DTH platform for not implementing appropriate TOMs in cooperation with a courier company. The DTH platform frequently notified the UODO of data breaches involving lost correspondence containing personal data or the delivery of such correspondence to unauthorised recipients by the courier company. It turned out that the DTH platform notified such breaches to the UODO and data subjects with a long delay, only when it received information from the courier company. The UODO found that the DTH platform failed to implement effective measures that would minimise the number of such breaches, allow for their faster identification, and therefore faster notification to the UODO and data subjects.
On 15 November 2021, the Administrative Court annulled the fine imposed by the UODO. The judgement is final.
8 June 2021
PLN 100,000 (approx. €21,600)
The fine was imposed on a cellular telecommunications provider for failing to notify the UODO about personal data breaches in time. The UODO repeatedly asked the controller for explanations regarding its submitting notifications after the deadline. When the controller failed to implement appropriate measures to eliminate such breaches in the future, the UODO decided to impose a fine on the controller.
The decision is only available in Polish here.
14 October 2021
PLN 363,000 (approx. €77,460)
The fine was imposed on a bank for failing to notify the UODO and data subjects of a personal data breach. The breach involved correspondence containing personal data (including names, national identification numbers, addresses, bank account numbers and customer identification numbers) that was lost by a courier company. The UODO found out about the breach from the data subjects affected by the breach. It turned out that the bank had informed the data subjects about the breach. However, the information provided was insufficient (not compliant with the GDPR requirements). The bank considered that the risk of negative consequences for the data subjects involved was medium, so it did not notify the data breach to the UODO and did not provide the data subjects with the full information required under the GDPR. The UODO questioned the bank's data breach assessment.
The decision is only available in Polish here.
19 January 2022
PLN 545,748 (approx. €116,460)
The fine was imposed on the bank for failing to notify data subjects of a data breach without undue delay. The bank reported a data breach to the UODO after it found that their former employee had unauthorised access to the payer's profile on the National Healthcare Fund's Electronic Services Platform, despite the termination of his employment. The bank established that the employee accessed the Platform five times after he left the bank.
The decision is only available in Polish here.
19 January 2022
PLN 4.9 million (approx. €1.04 million) for the controller
PLN 250,135 (approx. €53,380) for the processor
The fine was imposed on: (i) the controller, an electricity and gas supplier for failing to implement appropriate TOMs to ensure the security of personal data, resulting in a breach of its confidentiality, and failing to verify if the processor provides sufficient guarantees to implement appropriate TOMs so that the processing met the GDPR requirements, and (ii) the processor for failing to implement appropriate TOMs to ensure the security of personal data, including ensuring its confidentiality.
The data breach involved unauthorised persons copying the controller's customer data. This occurred when a change was made to the ICT environment by the processor. The breach occurred as a result of the processor's failure to apply basic security measures against unauthorised access. It was underlined that the controller was also obliged to regularly test, measure, and evaluate the effectiveness of TOMs to ensure the security of processing.
The decision is only available in Polish here.
6 July 2022
PLN 60,000 (approx. €12,800)
[maximum penalty for public authorities is PLN 100,000 (approx. €21,330)]
The fine was imposed on the Surveyor General of Poland for failing to report the data breach to the UODO and failing to notify data subjects.
The service run by the Surveyor displayed land registry numbers for more than 48 hours. With the land register number, it is easy to determine a range of property owners' data, including their national identification number, first and last names, parents' names, property address. The UODO found out about the breach from the media. The Surveyor maintained that land registry numbers are not personal data, the UODO disagreed.
This is the third penalty imposed on the Surveyor.
The decision is only available in Polish here.