February 2024

1. Governing Texts

Data protection in Poland is primarily governed by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the Act of May 10, 2018, on the Protection of Personal Data (only available in Polish here) ('the Act').

1.1. Key acts, regulations, directives, bills

The Act regulates procedural issues and other specific rules concerning, inter alia:

• the obligation of public bodies to designate a data protection officer ('DPO');
• the notification of the appointment of a DPO;
• the appointment of a 'deputy DPO' in the absence of the DPO;
• the accreditation of an entity authorized to grant certification;
• the entities authorized to monitor codes of conduct and certification;
• the approval of a code of conduct;
• the powers of the Polish Data Protection Authority ('the UODO');
• European administrative cooperation;
• civil liability, criminal liability, and administrative fines; and
• changes to the Labour Code of 1974 ('the Labour Code') on employee monitoring.

In addition, Act of February 21, 2019, Amending Sectoral Laws to Ensure Application of GDPR (only available in Polish here) ('the Amending Act') aimed at adjusting the Polish legal system to the requirements under the GDPR. It introduced changes to almost 170 separate sectoral acts, including:

• the Labour Code;
• Act of August 29, 1997, on Banking Law (only available in Polish here) ('the Banking Law');
• Act of May 27, 2004, on Investment Funds and Management of Alternative Investment Funds (only available in Polish here);
• Act of March 1, 2018, on Counteracting Money Laundering and Financing of Terrorism (only available in Polish here);
• Act of July 18, 2002, on the Provision of Electronic Services (only available in Polish here) ('the Act on Electronic Services');
• Act of August 29, 1997, on the Tax Code (only available in Polish here);
• Act of August 19, 2011, on Payment Services (only available in Polish here);
• Act of April 10, 1997, on Energy Law (only available in Polish here);
• Act of June 14, 1960, on the Code of Administrative Procedure (only available in Polish here); and
• Act of September 11, 2015, on Insurance and Reinsurance Activities (only available in Polish here).

1.2. Guidelines

To date, the following are the most prominent guidelines that have been issued by the UODO:

• guidance on how to apply a risk-based approach;
• the Revised list of data processing operations requiring a Data Protection Impact Assessment (only available in Polish here);
• guidelines on how to maintain records with templates for record of processing activities and record of all categories of processing activities carried out on behalf of a controller, with samples of completed templates;
• guidelines on CCTV (only available in Polish here);
• guidelines on data protection in the workplace;
• guidelines on processing personal data in schools and educational establishments;
• guidelines on controllers' obligations related to data breaches;
• guidelines on data protection in election campaigns; and
• security of personal data during remote learning.

1.3. Case law

Please see the section on enforcement decisions below.

2. Scope of Application

2.1. Personal scope

According to Article 1 of the Act, it applies to the protection of natural persons with regard to the processing of personal data within the scope specified in Article 2 and Article 3 of the GDPR.

The Amending Act did not regulate this issue.

2.2. Territorial scope

The Act explicitly incorporates Article 3 of the GDPR on the territorial scope of the GDPR.

The Amending Act did not provide modifications of the GDPR applicability provisions.

2.3. Material scope

The Act refers explicitly to Article 2 of the GDPR. In the following parts of this Guidance Note, we describe some national law variations important for businesses.

In addition, national regulations on various types of secrecy (e.g., banking secrecy, communication secrecy) may affect the rules for personal data processing, in particular, the legal bases for the processing.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The UODO is the main regulator for data protection in Poland. In addition, a violation of rules on direct marketing may result in action being taken by other authorities, such as the President of the Office of Competition and Consumer Protection or the President of the Office of Electronic Communications.

3.2. Main powers, duties and responsibilities

The rules of appointment and competencies of the UODO are provided in the Act, which mainly reiterates the powers, duties, and responsibilities set out in the GDPR.

Those powers, duties, and responsibilities include:

• conducting audits of compliance, conducting and issuing administrative decisions, informing about decisions where this is in the public interest;
• applying to the administrative courts for opinions under Article 267 of the Treaty on the Functioning of the European Union regarding the validity of decisions by the European Commission;
• asking other authorities to ensure effective personal data protection;
• providing opinions on proposed legal regulations on personal data;
• sharing Standard Contractual Clauses ('SCCs'), approved codes of conduct, standard data protection clauses, and recommendations on technical and organizational measures on its website;
• announcing a list of the types of processing that require (or do not require) a Data Protection Impact Assessment ('DPIA');
• approving Binding Corporate Rules ('BCRs');
• authorizing appropriate safeguards under Article 46 of the GDPR;
• conducting prior consultations;
• demanding disciplinary or other legal proceedings against perpetrators of violations, and demanding notification within a specified time limit of the results of actions taken; and
• cooperating with other supervisory authorities.

Moreover, the Act establishes a Council for the Protection of Personal Data, which is a consultative and advisory body of the UODO.

4. Key Definitions

There are no national law variations regarding the below-listed definitions. The GDPR provisions apply.

Data controller: There is no definition under Polish law. The GDPR definition applies.

Data processor: There is no definition under Polish law. The GDPR definition applies.

Personal data: There is no definition under Polish law. The GDPR definition applies.

Sensitive data: There is no definition under Polish law. The GDPR definition applies.

Health data: There is no definition under Polish law. The GDPR definition applies.

Biometric data: There is no definition under Polish law. The GDPR definition applies.

Pseudonymization: There is no definition under Polish law. The GDPR definition applies.

Data protection officer: There is no definition under Polish law. The GDPR definition applies. However, the Act introduces an additional role, deputy DPO, who acts in the absence of the DPO. The requirements for a deputy DPO's position notification and publishing of contact details requirements are the same as in the case of designating the DPO.

5. Legal Bases

5.1. Consent

There are no national law variations in relation to the performance of a contract as a legal basis.

However, some legal acts, such as the Labour Code or the Banking Law, set out what data a controller is obliged to collect.

5.2. Contract with the data subject

There are no national law variations in relation to the performance of a contract as a legal basis.

However, some legal acts, such as the Labour Code or the Banking Law, set out what data a controller is obliged to collect.

5.3. Legal obligations

There are no national law variations in relation to legal obligation as a legal basis.

However, there are a number of provisions of law that provide legal obligations, as envisaged under Article 6(1)(c) of the GDPR.

5.4. Interests of the data subject

There are no national law variations in relation to the protection of the interest of the data subject as a legal basis.

5.5. Public interest

There are some situations where the Amending Act introduced derogations relating to Article 6(1)(e) in connection with Articles 6(2) and 6(3) of the GDPR addressed to public bodies. For example, in the case of the operation of the Environmental Protection Inspectorate, the Amending Act specified how data processing obligations must be fulfilled (e.g. method of providing the privacy notice, limitation of certain data subjects rights).

5.6. Legitimate interests of the data controller

There are no national law variations in relation to legitimate interests as a legal basis.

5.7. Legal bases in other instances

Specific rules on processing employee data

Generally, according to the Labour Code, the employer is obliged to process the personal data of candidates/employees explicitly mentioned in the Labour Code and other laws, such as:

• Act of October 13, 1998, on Social Security (only available in Polish here);
• Act of March 4, 1994, on Social Benefits Fund (only available in Polish here); and
• Act of October 4, 2018, on Employee Capital Plans (only available in Polish here).

In addition, the employer may request other data if it is necessary to exercise a right or perform an obligation resulting from a legal provision.

In addition, the employer may collect and process data in order to perform the employment contract (e.g., related to remuneration) based on Article 6(1)(b) of the GDPR or to pay taxes and social security contributions based on Article 6(1)(c) of the GDPR. Consent and legitimate interest are also viable legal bases for processing employees' personal data.

Pursuant to the Labour Code, the employer can process personal data other than as specified in the labor law regulations (e.g., a person's image and interests) with the data subject's consent. Such data should be provided by the candidate or employee at the request of the (potential) employer or at their own initiative.

Consent cannot be a legal basis for processing personal data relating to criminal convictions and offenses regulated in Article 10 of the GDPR. The only basis for such processing is the necessity for compliance with a legal obligation.

Processing of special categories of data by the employer can be based on consent only if the employee provides such data at their own initiative. Employers may also process employees' biometric data if it is necessary to ensure access control to particularly important information or to the premises requiring special protection.

Those employees who will be processing special categories of data should be granted written authorization to do so and should be obliged to maintain confidentiality.

Under the Labour Code, the lack of consent for processing data or its withdrawal may not be the basis for the disadvantageous treatment of the candidate or of an employee, and it may not cause any negative consequences for these persons. In particular, it may not constitute a reason justifying the refusal of employment, notice of an employment contract, or its termination without notice by an employer.

Additionally, the Labour Code regulates employee monitoring (i.e., CCTV, email monitoring, and other monitoring measures). It is possible to monitor employees based on the employer's legitimate interest provided that the following requirements are cumulatively met (according to the type of monitoring activities):

• the purposes for CCTV may include the necessity to ensure the safety of employees or to protect property, to control production, to keep secret information whose disclosure could expose an employer to damages;
• the purposes for email and other forms of monitoring (e.g., monitoring of phone calls, logs from Radio Frequency Identification ('RFID') cards, business devices, location and safe driving, network activity, visited websites, billings, etc.) may include the necessity to ensure an organization of work that enables the full use of the working time, and the proper use of the work tools made available to the employee (e.g. whether the employee is using the email account as instructed, in particular in terms of assuring security). Only two purposes are mentioned in the Labour Code, but in our opinion, these purposes should be interpreted broadly. It is currently not clear if employers can monitor employees for other purposes;
• the purpose, scope, and methods of monitoring should be described in the work regulations, in the Corporate Collective Labour Agreement ('CCLA'), or in an announcement (if there are no work regulations or CCLA). If trade unions operate at the employer, a change to the work regulations or CCLA will require cooperation with trade unions;
• the employer is obliged to inform its employees of the implementation of monitoring in the manner it has approved no later than two weeks before it is launched;
• the employer is obliged to provide new employees with written information regarding the purpose, scope, and methods of monitoring before admitting them to work;
• monitoring should not violate the confidentiality of correspondence and other personal rights of an employee (e.g., private emails of employees should not be monitored);
• in the case of CCTV, the employer has to comply with requirements regarding the location of CCTV cameras (generally, CCTV cameras should not be installed in restrooms, locker rooms, canteens, and smoking rooms, as well as in premises made available to trade unions);
• the employer can retain CCTV records for up to three months unless recordings are used as evidence in proceedings conducted under the law or the employer has knowledge that they can be evidence in the proceedings;
• the employer is obliged to mark monitored premises and areas in a visible, legible manner by means of appropriate signs or audio notices no later than one day before monitoring is launched at the workplace; and
• the other principles described in the GDPR should be observed, including principles of purpose limitation and data minimization.

Monitoring of sanitary rooms requires prior approval of trade unions or if there are no trade unions, prior consent of employee representatives selected in a manner adopted by the employer.

Specific rules on direct marketing

Under Polish law, direct marketing has to be considered from a number of perspectives:

• the data protection perspective;
• the perspective of the Act on Electronic Services (in relation to sending marketing information in the form of emails, SMS/MMS messages, and push notifications via apps and websites); and
• the Telecommunications Act of July 16, 2004 ('the Telecommunications Act') (in relation to marketing via phone, emails, SMS/MMS messages, and push notifications via apps and websites).

The data protection perspective

Under the data protection regulations, marketing can be delivered based on consent or legitimate interest.

Direct marketing based on the Electronic Provision of Services Act

In order to send commercial information addressed to a specific natural person by electronic means of communication, such as texts, emails, or push notifications via apps and websites, the consent of the recipient is required. The consent needs to meet the GDPR requirements.

In addition, the Act on Electronic Services was revised under the Amendment Act. The amendment provides that providers of information society services must seek a user's consent for the processing of their personal data where this goes beyond what is necessary to provide such services for the purposes of:

• advertising; or
• market research or analyzing the user's behavior or preferences with a view to improving the quality of information society services.

It is unclear what data should be considered necessary to provide information society services and, therefore, when consent needs to be sought. Most data protection experts believe that the above legislation is in breach of Article 6 of the GDPR since it introduces more specific rules on the lawfulness of processing without there being grounds for such derogation in the GDPR itself. The UODO is silent on this point.

Direct marketing based on the Telecommunications Act

The Telecommunications Act regulates, in particular, sending marketing information via telecommunications terminal equipment and marketing calls. This covers in particular:

• SMS/MMS messages; and
• emails and phone calls, including via automated calling systems.

Thus, in Poland, the two acts regulate the same issue of sending direct marketing via emails and texts. The Telecommunications Act requires that separate consent of the end-user is sought for sending marketing information via telecommunications terminal equipment and marketing calls (including via automated calling systems). The consent needs to meet the GDPR requirements. Accordingly, in order to conduct marketing activities in full compliance with the Act on Electronic Services and the Telecommunications Act, two separate consents are required (one for sending marketing information and one for the use of telecommunications terminal equipment and automated calling systems) on top of any consent required from the data protection perspective (according to the interpretations of the UODO and the Office of Electronic Communication). However, this is usually not done in practice. Organizations often collect just one consent for marketing communication or for specific communication channels.

The Act on Electronic Services and the Telecommunication Act partially implemented the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive'), in the 'opt-in' and not the 'opt-out' model.

New rules on direct marketing will be envisaged by the Electronic Communication Act ('the eCommunication Act'), which will replace the direct marketing regulations in the Act on Electronic Services and the Telecommunications Act. The new draft of the Electronic Communication Act is to be published by the Government within the next few weeks.

Under the previous draft of the eCommunication Act, the prior consent of the subscribers and the end user is required for sending commercial information, including direct marketing via telecommunications terminal equipment.

The consent will need to meet the GDPR requirements. However, it may also be collected by way of disclosing the identifying electronic address by the subscribers or end users in order to send them the commercial information.

Specific rules on cookies

According to Article 173 of the Telecommunications Act, consent for cookies may be expressed by adjusting the settings of the software installed in the telecommunications terminal equipment used by that subscriber or end-user or by adjusting the configuration of the service (e.g., by browser settings).

Although, according to Article 174 of the Telecommunications Act, cookie consent should be interpreted in line with the GDPR consent requirements, some publishers still obtain implied consent (e.g., provided by further use of the website) by reference to Article 173 of the Telecommunications Act.

According to a UODO decision (issued at the end of 2021), the consent provided via browser settings without the user's active action was considered invalid, as it did not meet the GDPR requirements. Subsequently, UODO ordered the deletion of the IP address and Cookie ID, but no administrative fine was imposed. The decision has been contested by the controller, and the court repealed it (for reasons other than related to consent).

The Telecommunications Act also requires that, prior to giving consent, the user is informed expressly, in an unambiguous, simple, and comprehensible manner, about:

• the purpose of storing and accessing non-essential cookies; and
• the possibility of adjusting the settings of the software installed in the telecommunications terminal equipment used by that subscriber or end user or by adjusting the configuration of the service (e.g., by way of browser settings).

The previous draft of the eCommunication Act provided for similar regulations on cookies that are currently in the Telecommunications Act.

Processing for scientific or historical research purposes

The Act does not regulate legal grounds for personal data processing. However, some Polish sectoral acts provide specific legal bases for various processing activities.

The Amending Act introduced changes to the following acts in order to implement Article 89 of the GDPR:

• Act of June 29, 1995, on Public Statistics (only available in Polish here), including inter alia the exclusion of the application of Articles 15, 16, 18, and 21 of the GDPR;
• Act of July 20, 2018, on Higher Education and Science (only available in Polish here), regulating data processing for scientific research purposes, including inter alia the exclusion of the application of Articles 15, 16, 18, and 21 GDPR in specific situations. These changes apply only to entities and institutions listed in this act. Additionally, under those changes, specific security measures need to be implemented for personal data processing in relation to scientific research;
• Act of July 14, 1983, on the National Archival Resources and Archives (only available in Polish here), including inter alia the limitation of the application of Articles 16 and 18 of the GDPR; and
• Act of April 28, 2011, on the Information System in Health Care (only available in Polish here), regulating that data included in medical records can be made available for the purpose of conducting scientific research and for statistical purposes only in anonymized form.

6. Principles

There are no national law variations regarding the principles relating to personal data processing.

7. Controller and Processor Obligations

7.1. Data processing notification

There are no national specific notification or registration requirements, except for the requirement to notify the appointment of a DPO / deputy DPO as described in the section on DPO appointment.

7.2. Data transfers

There are no national law variations regarding data transfers.

In most cases, national law does not require storing (business) data or documentation within the territory of Poland. However, there are some exceptions to this rule, for example:

• documentation containing classified information or state secrecy; and
• specific telecommunication data in the case of operators of a public telecommunications network and providers of publicly available telecommunications services.

7.3. Data processing records

There are no national law variations regarding data processing records.

7.4. Data protection impact assessment

There are no national law variations regarding carrying out a DPIA.

There is no list of activities subject to prior consultation or authorization. The UODO has published the amended list of types of processing activities for which carrying out a DPIA is required. It  states that, as a rule, the processing which meets at least two of the below mentioned criteria will require a DPIA:

• evaluation or assessment, including profiling and prediction (behavioural analysis) for the purposes, which produce negative legal, physical and financial effects, or other inconveniences for individuals;
• automated decision-making producing legal, financial or similar significant effects;
• systematic monitoring of publicly accessible areas on a large scale using elements of recognition of characteristics or properties of objects that are present in the monitored area. This group of systems does not include video surveillance systems, in which image is recorded and used only in case of the need for analysis of incidents of breach of law;
• processing of special categories of personal data and personal data relating to criminal convictions and offenses;
• processing of biometric data for the purpose of uniquely identifying a natural person or verifying access control;
• processing of genetic data;
• data processed on a large scale, where the notion of large-scale concerns:
  • the number of persons whose data are processed;
  • the scope of processing;
  • the data storage period and;
  • the geographical scope of processing;
• making comparisons, evaluating or drawing conclusions based on analysis of data obtained from various sources;
• processing of data concerning persons whose evaluation and the services provided to them depend on the entities or persons which have supervisory and/or evaluating powers;
• innovative use or application of technological or organizational solutions;
• in cases where the processing itself prevents data subjects from exercising a right or using a service or a contract; and
• processing of location data.

Moreover, the UODO has not provided any predetermined low-impact activities that are exempt from a DPIA.

How to conduct a DPIA

The UODO-issued Guidance includes a diagram with steps for carrying out a DPIA, while another part of it contains a chart outlining the process for carrying out a DPIA and a table with an example of applying the risk-based approach in a processing activity.

Additionally, the UODO has not issued any templates or checklists for conducting a DPIA. However, the UODO had endorsed the French data protection authority's ('CNIL') Privacy Impact Assessment ('PIA') tool and noted that the Polish translation was approved by the UODO. The CNIL's PIA assessment tool can be accessed online here or here or downloaded for Windows here, for Mac OS here, and for Linux here. Please note that CNIL announced on 24 June 2020 that it had launched an updated PIA assessment tool, which can be accessed online here and here or downloaded for Windows here, for Mac OS here, and for Linux here (press release only available in French here).

Prior Consultation

In line with the prior consultation guidelines (only available in Polish here) ('the Prior Consultation Guidelines'), a request for prior consultation can be made through submitting an electronic form for prior consultation. In order to submit the form, it is necessary to have/create an account and a trusted profile on the Electronic Platform of Public Administration Services ('ePUAP') platform or an account on the Information and service website for entrepreneurs ('ePK platform').

The Prior Consultation Guidelines specify that the form must satisfy the requirements set out in Article 63 of the Act of June 14, 1960, Code of Administrative Procedure (only available in Polish here) ('the Administrative Procedure Code'). The Prior Consultation Guidelines highlight that in addition to the information specified in Article 36(3) of the GDPR, the form should include at least the following information: indication of the person who is submitting the form, their address, and request, as well as their signature.

In addition, the Prior Consultation Guidelines state that in case the form is submitted by proxy, it should also include power of attorney, in line with Article 33(3) of the Administrative Procedure Code, as well as proof of payment of administrative costs of PLN 17 (approx. $4), in line with Article 3(1) of the Regulation of the Minister of Finance of September 28, 2007, on the Payment of Administrative Costs (only available in Polish here).

During the procedure conducted under prior consultation, the UODO may request applicants to provide additional information necessary for the purposes of consultation (Article 36(2) of the GDPR).

The Prior Consultation Guidelines specify that if the submitted form does not fulfill the requirements of Article 36(3) of the GDPR and Article 63 of the Administrative Procedure Code, the UODO will inform the person requesting prior consultation of the refusal to consult, specifying the reasons for the refusal (Article 57(3) of the Act).

The UODO may take similar action if the submitted form indicates that the DPIA does not indicate a high risk.

7.5. Data protection officer appointment

Public organizations that are under an obligation to appoint a DPO include entities in the public finances sector, research institutes, and the National Bank of Poland (Article 9 of the Act).

In accordance with the DPO Appointment Guidelines, the appointment of more than one DPO is not allowed. Furthermore, it should be clear to individuals internally (i.e., employees who are involved in the data processing) and externally (i.e., data subjects and the UODO) who performs the function of a DPO and is responsible for the monitoring of compliance of the processing of personal data with the law.

The DPO Guidance provides that no legal person can perform the functions of a DPO and that while the law does not contain a prohibition regarding related parties being designated as DPOs, the DPO Guidance states that it is necessary to carefully analyze and assess whether specific family relationships will not affect the performance of the tasks and duties of the DPO in an independent manner and will not cause conflicts of interest as Article 38(6) of the GDPR provides.

Role

Joint function as a proxy for the protection of classified information

The DPO Appointment Guidelines specify that a DPO may also perform the role of a proxy for the protection of classified information, whose task is to oversee compliance with rules on the protection of classified information, in line with the Act of August 5, 2010, on the Protection of Classified Information (only available in Polish here). Performing both roles cannot be detrimental to a DPO's independence and position in the structure of the organization, nor lead to a conflict of interests as specified in the GDPR.

Joint function as a line manager

In line with the DPO Appointment Guidelines, performing the role of both a line manager and a DPO requires an assessment of the possibility of a conflict of interest which takes into account the following criteria:

• organizational: a DPO should be directly subordinate to the top management of the organization;
• substantive: additional responsibilities should not negatively impact the independence of a DPO; and
• timing: a DPO should have sufficient time to perform their tasks, taking into account factors such as the quantity and complexity of their duties.

Joint function as an ASI

The DPO Appointment Guidelines outline that the tasks of an IT system administrator ('ASI') usually include the administration of servers used for data processing, implementation of IT system security measures, detection of unauthorized access to the system, and configuration of user accounts. Taking into account the nature of an ASI's tasks, assigning a joint function of an ASI and a DPO to one person may lead to a conflict of interests or negatively impact their independence, contrary to the GDPR.

In particular, the DPO Appointment Guidelines highlight that, under Article 38(3) of the GDPR, a DPO may not be subordinate to anyone within an organization apart from top management. Therefore, in the UODO's view, assigning a joint function of a DPO and an ASI to one person requires that they are not subordinate to, e.g., an IT manager or anyone else apart from top management. In this regard, the UODO noted that when assigning the position of an ASI and a DPO to one person, the data controller should make an individual assessment of the applicable circumstances and continuously monitor the possibility of a conflict of interests arising.

Register of processing

The DPO Tasks Guidelines highlight that despite the fact that the obligation to maintain a register of processing under Article 30 of the GDPR is the responsibility of data controllers and data processors, the knowledge and skills of a DPO imply that they may be involved in the process of creating and maintaining the register of processing, as well as use it in the performance of their tasks. In addition, the DPO Tasks Guidelines outline that a DPO may support the data controller or the data processor in the creation and maintenance of a register of processing by, for instance, advising in this regard (e.g., by gathering information for the purpose of identification of the processing activities).

Works councils

The DPO Tasks Guidelines specify that since a works council operates as a data controller independent from an employer, an employer's DPO is not under an obligation to also act as a DPO for the works council, unless other arrangements are put in place.

Cooperation with UODO

DPOs can contact the UODO with questions relating to the applicable data protection rules. Furthermore, the UODO has issued a newsletter for DPOs, which can be subscribed to on UODO's website.

Professional qualifications

In line with the DPO Appointment Guidelines, the function of a DPO in Poland may be performed by a foreigner. However, the UODO notes that, in line with the guidelines, a data controller is obliged to ensure effective communication between a DPO and the UODO, as well as data subjects, in Polish. Moreover, the Amending Act has introduced an additional role, a deputy DPO, who acts in the absence of the DPO. The requirements for a deputy DPO's position, notification, and publishing of contact details requirements are the same as in the case of designating the DPO.

Furthermore, the DPO Tasks Guidelines highlight that a DPO is not entitled to grant authorizations for the processing of personal data, as this could potentially create a conflict of interest.

Notification

The Act introduces an obligation to notify the UODO about the designation of a DPO within 14 days following the appointment or of any changes to the DPO. Moreover, a company that designates a DPO is obliged to publish the DPO's contact details, including name, surname, email address, or phone number, on its website or, in the absence of a website, in a manner generally accessible at its place of business (Article 11 of the Act). It is market practice to provide the DPO's email address rather than their phone number. It should be noted that an organisation may choose whether it prefers to publish on its website information about the appointed DPO's e-mail address or phone number, it is not necessary to publish both.

In addition, a change of DPO details, as well as dismissal of a DPO, should also be communicated to the UODO within 14 days. In case a group of undertakings appoints a single DPO, each of the undertakings must notify their DPO contact details separately (Article 10 of the Act).

In line with the DPO Notification Guidelines, the only method for notification of appointment, dismissal, or change of details of a DPO to the UODO is electronic notification, which must include a qualified electronic signature (guidance on which can be accessed here, only available in Polish) or an electronic signature confirmed with an ePUAP trusted profile. The notification form should be sent in Polish.

Moreover, notification can be made through the Ministry of Entrepreneurship and Technology's website, biznes.gov.pl. A DPO appointment notification form is available here, a DPO change of contact details notification form here, a DPO dismissal notification form here, and a DPO dismissal and new DPO appointment notification form here.

The DPO Notification Guidelines also specify that notification of a DPO can be made by proxy through power of attorney, which should be granted in an electronic form (Article 10(2) of the Act), which includes a qualified electronic signature or an electronic signature confirmed with the ePUAP trusted profile, of a person authorized to represent the data controller. Administrative costs of PLN 17 (approx. $4) for the power of attorney can be paid to the Warsaw City Hall via bank transfer.

Location

The DPO Appointment Guidelines highlight that the GDPR and the guidelines do not specify a limit of how many organizations may appoint a single DPO. The DPO Appointment Guidelines outline that a group of organizations may only appoint a single DPO in justified circumstances and that this should be within reasonable limits. To assess this, a number of aspects should be taken into account, including the availability of a DPO, their capability to gain in-depth knowledge about the functioning of an organization, having sufficient time to perform their tasks, avoiding a conflict of interests, as well as the size and organizational structure of the organization that is the data controller. This requires a case-by-case assessment.

7.6. Data breach notification

There is no general national notification variation or exemption. A breach notification form is available in Polish here. Notification must be submitted electronically in Polish.

7.7. Data retention

In Poland, there are several statutory minimum or maximum retention periods set out by law. In other cases, retention periods must be established based on the GDPR storage limitation principle stating that personal data should not be retained for longer than it is necessary for the purpose. In general, the UODO has not issued specific guidelines on the subject.

Examples of retention periods set out by law include:

• employee documentation for ten to 50 years (depending on the particular circumstances);
• accidents and injury at work documentation for ten years from making the files;
• employee CCTV recordings for three months from the date of recording (if the recorded event is subject to further proceedings, as long as the event is fully explained); and
• tax documentation for five years from the end of the calendar year in which tax payment was due.

In the case of personal data processing in relation to journalistic, artistic, or literary activity, Article 5 of the GDPR, regulating inter alia the storage limitation principle, does not apply.

7.8. Children's data

The national regulations do not change the age of consent specified in the GDPR. In the case of services provided via electronic means (online services), minors may consent to the processing of their personal data on their own when they reach the age of 16.

In other contexts, if the minor is above the age of 13, both a legal representative (e.g., parent) and the minor need to consent to the processing of the minor's personal data, or the legal representative may consent on behalf of the minor. If the minor is below the age of 13, only the legal representative may consent to the processing of the minor's personal data.

7.9. Special categories of personal data

There are no general national rules on the processing of special categories of data or criminal conviction data, but some specific variations or exclusions are provided in Polish regulations. These specific provisions primarily apply to public bodies and provide a legal basis for processing special categories of data or criminal conviction data and further conditions to do so.

Examples of regulations applicable to the private sector include:

• Act of September 11, 2015, on Insurance and Reinsurance (only available in Polish here), under which insurance companies may process special categories of personal data, including health data, in order to assess insurance risk and to perform a contract; and
• Act of September 11, 2019, Public Procurement Law (only available in Polish here), regarding the obligation to provide criminal conviction data in certain situations.

In some cases, Polish regulations require specific security measures to protect special categories of personal data or criminal conviction data. The main security measures for the processing of special categories of personal data or criminal conviction data are that only persons appropriately authorized in writing who are obliged to maintain confidentiality may process special categories of personal data (e.g., persons processing employees' special categories of data) or criminal conviction data (e.g., persons processing criminal conviction data in proceedings for concession contract for construction works or services).

Specific rules for the processing of special categories of employee data are described in the section on legal bases in other instances above.

7.10. Controller and processor contracts

There are no national law variations regarding data processing agreements and cooperation between a controller and processor.

8. Data Subject Rights

8.1. Right to be informed

Under the Act, in case of personal data processing in relation to journalistic, artistic, or literary activity, Articles 13 and 14 of the GDPR do not apply. Additionally, in the case of personal data processing in relation to academic expression, Article 13 of the GDPR does not apply.

The controller is exempt from information provision obligations under Articles 13(3), 14(1), 14(2), and 14(4) of the GDPR if:

• the controller performs a public task;
• the processing serves to perform such a task; and
• it is necessary to achieve the objectives stipulated in Article 23(1) of the GDPR, as well as other conditions set out in Articles 3 and 4 of the Act are met.

The Amending Act provided changes in a number of acts and excludes public bodies from the obligation to provide individual information to data subjects. Instead, public bodies are obliged to publish public information on their websites or put information up in a visible place in the building where they operate.

In addition, the Amending Act introduced other specific regulations regarding the right to be informed, e.g., changes provided to the Act of May 30, 2014, on Consumers Rights (only available in Polish here) enable micro-entrepreneurs to provide a privacy notice under Article 13 of GDPR by hanging it in the business premises in a visible place or providing relevant information on its website.

This exemption does not apply if:

• the data subject does not have the opportunity to become acquainted with the privacy notice;
• the data controller processes the data referred to in Article 9(1) of the GDPR (i.e., special category data); and
• the data controller discloses data referred to in Article 9(1) of the GDPR (i.e., special category data), except when such disclosure is based on consent or the fulfillment of a legal obligation.

8.2. Right to access

Under the Act, in case of personal data processing in relation to journalistic, artistic, or literary activity, Article 15 of the GDPR does not apply. Additionally, in the case of personal data processing in relation to academic expression, Articles 15(3) and 15(4) of the GDPR do not apply.

Controllers performing a public task are exempted from providing data subjects with the information specified in Articles 15(1) to 15(3) of the GDPR if not providing such information is necessary to achieve the objectives stipulated in Article 23(1) of the GDPR and other conditions set out in Article 5 of the Act are met.

Under the Act, the controllers receiving data from an entity performing a public task are exempt from providing the information specified in Articles 15(1) to 15(3) of the GDPR if the entity made a request under the necessity to properly perform a public task aimed at, in particular, prevention, investigation, detection, or prosecution of criminal offenses.

In addition, the Amending Act introduced other specific regulations regarding the right to access, e.g., in case of personal data processing by:

• financial sector entities to the extent that it is necessary for the proper performance of their tasks related to counteracting money laundering and financing of terrorism, as well as preventing other crimes (e.g., banks, insurers, investment funds, etc.), in which case all the rights described in Article 15 of the GDPR are exempt; and
• persons performing the professions of attorney-at-law, notary, tax advisor, sworn translator, and an employee of the General Counsel to the Republic of Poland ('the Professions'), in which case the Amending Act limited the application of Articles 15(1) and 15(3) of the GDPR due to the obligation of secrecy imposed upon them.

8.3. Right to rectification

Under the Act, in case of personal data processing in relation to journalistic, artistic, or literary activity, Article 16 of the GDPR does not apply.

In addition, the Amending Act introduced other specific regulations regarding the right to rectification. For example, in the case of personal data processing for public statistics purposes, the Amending Act excluded the application of Article 16 of the GDPR.

8.4. Right to erasure

There are no national law variations regarding the right to erasure.

8.5. Right to object/opt-out

Under the Act, in case of personal data processing in relation to journalistic, artistic, or literary activity, Article 21 of the GDPR does not apply.

In addition, the Amending Act introduced other specific regulations regarding the right to object. For example, in the case of personal data processing by persons performing the Professions (see the section on the right to access above), the Amending Act excluded the application of Article 21(1) of the GDPR due to the obligation of secrecy imposed upon them.

8.6. Right to data portability

Under the Act, in case of personal data processing in relation to journalistic, artistic, or literary activity, Article 20 of the GDPR does not apply.

8.7. Right not to be subject to automated decision-making

Under the Act, in case of personal data processing in relation to journalistic, artistic, or literary activity, Article 22 of the GDPR does not apply.

In addition, the Amending Act introduced a number of possibilities to perform automated decision-making, including profiling, and excludes the data subject's right not to be subject to such decision-making, in particular in the case of personal data processing by:

• banks and other entities granting credits in order to assess credit standing and credit risk;
• insurers in order to assess insurance risk and perform other insurance operations; and
• the General Inspectorate of Road Transport in connection with using traffic enforcement cameras.

However, additional requirements need to be met by the abovementioned controllers.

8.8. Other rights

Under the Act, in case of personal data processing in relation to journalistic, artistic, or literary activity, Articles 18 and 19 of the GDPR do not apply. Additionally, in the case of personal data processing in relation to academic expression, Article 18 of the GDPR does not apply.

In addition, the Amending Act introduced other specific regulations regarding the rights under the GDPR. For example, in the case of personal data processing by persons performing the Professions (see section on the right to access above), the Amending Act limited the application of Articles 18 and 19 of the GDPR due to the obligation of secrecy imposed upon them.

9. Penalties

A limitation on administrative fines for public bodies was introduced of up to PLN 100,000 (approx. $24,790) or up to PLN 10,000 (approx. $2,480) for cultural institutions.

In addition to the sanctions applicable under the GDPR, the Act provides criminal liability. Unpermitted or unauthorized processing of personal data, jeopardizing or impeding an audit by the UODO, or failure to provide the UODO with data necessary to determine the basis for an administrative fine may entail criminal liability (e.g., a fine, restriction of personal liberty, or imprisonment of up to three years).

The Amending Act provided changes to the Act of June 6, 1997, Penal Code (only available in Polish here) that penalizes the threat of causing criminal proceedings or other proceedings in which an administrative pecuniary penalty may be imposed. The change is aimed at counteracting GDPR frauds.

9.1 Enforcement decisions

Decisions issued by the UODO can be accessed online (only available in Polish here). The UODO carries out audits in accordance with its annual audit plans and outside the scope of its audit plan.

The audit plan for 2023 envisages audits regarding:

• authorities processing personal data in the Schengen Information System and Visa Information System with regard to the processing of SIS/VIS personal data on the basis of the provisions of the Act of August 24, 2007, on the participation of the Republic of Poland in the Schengen Information System and Visa Information System (available only in Polish here), implementing acts and European Union regulations;
• entities processing personal data through mobile applications with regard to the method of securing and sharing data in connection with the use of such applications;
• entities processing personal data through Internet (web) applications with regard to the method of securing and sharing data in connection with the use of such applications.

To date, the UODO has issued decisions involving administrative fines for various types of non-compliance with the GDPR, such as:

• not providing information required under Article 14 of the GDPR;
• data breaches that resulted in data leakage;
• failure to provide a mechanism for withdrawal of consent;
• lack of cooperation with the UODO;
• the absence of an agreement with a data processor and failure to update the register of processing activities;
• implementing inappropriate technical and organizational measures ('TOMs'), and
• other related violations of personal data protection principles.

The table below presents details of notable decisions/case law: