Data Protection & Privacy 2020

Last Updated March 09, 2020


Law and Practice


Ernst & Young Law Tałasiewicz, Zakrzewska i Wspólnicy sp.k. works alongside other EY professionals, including those specialising in assurance, tax, transactions and advisory. Serving across borders, EY's sector-focused, multidisciplinary approach means it offers integrated, broad and pertinent advice. The legal team provides holistic guidance around strategic business decisions, reducing the gap between business advisers and legal counsel. Working with other EY service lines, EY Law is able to build interdisciplinary teams capable of leading projects requiring simultaneous consideration of many aspects – from legal, through risk, ending on architecture and implementation. Located in Warsaw, EY wavespace (a global network of growth and innovation centres) with OT/IoT Security Laboratory, enables co-operation leading to the development of ready-made solutions and knowledge transfer. wavespace locations feature a shared methodology and platform that combine EY’s experience in disruptive technologies such as artificial intelligence, robotics process automation (RPA), blockchain, data analytics, digital, customer experience and cybersecurity, with EY’s deep industry domain and regulatory experience. Special thanks to Marcin Grott from EY Law for his input to this chapter.

The right to privacy is guaranteed in Article 47 of the Constitution of the Republic of Poland of 2 April 1997 (the Polish Constitution). The right to the protection of personal data is a specialised measure to protect privacy, specified in Article 51 of the Polish Constitution.

Concretisation of the constitutionally guaranteed right to the protection of personal data in Poland is to be found in specific EU and Polish regulations, which are: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the GDPR), and the Act of 10 May 2018 on the Protection of Personal Data Act (the PPDA). The latter regulates, among other things, the organisation and functioning of the Personal Data Protection Office and the role of the President of the Personal Data Protection Office (the PPDPO). Moreover, the Act of 21 February 2019, on amendments to different Acts in connection with ensuring the applicability of the GDPR, provides for respective changes and references to the GDPR and GDPR requirements in 162 Polish Acts in various sectors.

In the event of a breach of the provisions on personal data protection, there is a risk of administrative liability (including a financial penalty) as well as of civil and criminal liability. The data subject has the right to choose the means of protecting his or her personal data: civil (proceedings before the court) or administrative (proceedings before the PPDPO). Both methods are independent of each other and the data subject is also entitled to choose to use both. However, a claim for compensation for damages can only be made in civil proceedings against the data controller in breach. In contrast, criminal liability is additional to administrative and civil liability. Collective entities (eg, a company) are not subject to criminal liability, unlike natural persons, who are individually responsible for committing a criminal act.

The PPDPO is the authority competent in matters of personal data protection. The PPDPO initiates proceedings in the event of a complaint about a breach of personal data protection regulations by a data controller; or on his or her own initiative, as a result of an inspection or obtaining information about irregularities. The inspections carried out by the PPDPO may consist in obtaining written explanations as well as direct inspections carried out by authorised employees of the Personal Data Protection Office. In addition to ad hoc controls, the PPDPO also carries out scheduled inspections, the subject of which is announced at the beginning of each calendar year.

To the extent that personal data protection issues relate to electronic communications, the President of the Office of Electronic Communications is also competent. However, in the event that personal data processing may constitute a practice infringing collective consumer interests, the President of the Office for Competition and Consumer Protection is also competent.

The proceedings to deal with a breach of regulations concerning personal data protection are conducted by the PPDPO based on the provisions of the PPDA. In matters not covered by the PPDA, the Code of Administrative Procedure shall apply. The proceedings are single-instance and the PPDPO’s decision is final and terminates the proceedings at the level of administrative bodies. The PPDPO may impose an administrative fine in its decision. If an entity does not agree with the decision, it is entitled to file a complaint with an Administrative Court within 30 days of the decision being served. Subsequently, the party has the right to appeal against the decision of an Administrative Court of first instance to an Administrative Court of second instance.

In Poland, which is a member state of the EU, the provisions of the GDPR are directly applicable. With respect to data processing in electronic communications, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (e-Privacy Directive) is applicable. In Poland, the provisions of this Directive have been implemented by the Act of 18 July 2002 on the Rendering of Electronic Services (as amended) and the Telecommunications Act of 16 July 2004 (as amended). Currently, work is underway on the e-Privacy Regulation, which will replace the e-Privacy Directive. As regards law enforcement authorities, Poland has transposed Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, by passing the Act of 14 December 2018 on the Protection of Personal Data Processed in Connection with the Prevention and Combating of Crimes (Crimes Prevention PPDA).

As for non-governmental organisations (NGOs), attention should be paid to the activities of the Panoptykon Foundation. It is a Polish NGO whose goal is to protect fundamental freedoms against threats associated with the development of modern techniques of supervision over society. Particularly noteworthy are its activities in the last year on behavioural advertising, which included the preparation of a report on online advertising and the filing of complaints with the PPDPO about online advertising tracking ecosystems. Similar complaints have been filed by organisations in fifteen EU countries.

Industry organisations operate very well in the context of personal data protection. They provide opinions regarding the law and propose changes to it. They create sectoral guidelines (eg, codes of conduct) and also direct educational activities. Examples of such organisations include: the Polish Bank Association, the Polish Insurance Association, the Lewiatan Confederation, the Poland Internet Industry Employers’ Association (IAB), and the Polish Marketing Association (SMB).

In Poland, there are also organisations of privacy professionals dealing with personal data protection. The following should be mentioned as prominent examples of such organisations: the Association of Data Protection Officers (SABI), the Association of Personal Data Protection Officers, and the Association of Data Protection Practitioners.

Legislation on personal data protection has existed in Poland since 1997. However, due to the lack of financial penalties provided for in the previous Act, the requirements included therein were not strictly observed. As a result of the introduction of financial penalties by the GDPR, the importance of personal data protection requirements in Poland has increased significantly. Currently, the so-called second wave of the adoption of GDPR requirements can be seen. This is due to the fact that fines are imposed by the PPDPO as well as other EU authorities. Although the PPDPO does not impose fines as often as the most active data protection authorities in the EU, the penalties imposed are dissuasive.

The adoption of the Act ensuring the applicability of the GDPR is particularly worth mentioning. Taking advantage of the possibility provided for this in the GDPR, the Polish legislature has clarified or restricted the application of the provisions of this Regulation in 162 sectoral Acts. The implemented solutions have eliminated a significant number of the doubts concerning the application of the GDPR in particular sectors.

The attention of privacy professionals is mainly focused on the recent decisions of the PPDPO and his approach to the respective GDPR provisions. Final decision is currently expected in the matter of the interpretation of the concept of disproportionate effort, which exempts data controllers from the obligation to comply with Article 14 (1) and (2) of the GDPR, which contains a requirement to provide information to the data subject. Recently, a fine of EUR220,000 was imposed by the PPDPO. The Administrative Court of first instance, in its judgment of 11 December 2019, stated that a disproportionate effort should not be understood as either the organisational or financial cost of the fulfilment of a fully enforceable obligation under the aforementioned provision. The decision is not yet final and binding, and it is currently subject to consideration by the Court of second instance.

As mentioned in 1.1 Laws and 1.2 Regulators, currently, the general laws applicable to all sectors regulating personal data protection and privacy matters are the GDPR and the PPDA.

There are also soft laws such as guidelines and announcements published by the Polish data protection authority among others, in the following fields:

  • application of the “risk-based approach”;
  • records of personal data activities;
  • use of video surveillance;
  • operations requiring data protection impact assessments;
  • data protection in the workplace – guidance for employers; and
  • data protection in schools and educational establishments.

In addition, four codes of conduct have been filed by the relevant stakeholders with the Personal Data Protection Office in the following areas:

  • small medical facilities;
  • banking sector;
  • heath care; and
  • housing co-operatives.

The above-mentioned codes of conduct now await approval by the Polish supervisory authority, and it is known that some other groups of stakeholders in different sectors are currently working on their codes of conduct.

Requirement for Appointment of Privacy or Data Protection Officers

Under the GDPR, it is obligatory to appoint a Data Protection Officer (DPO) in the following cases:

  • when data processing is carried out by a public authority or body, and the PPDA has specified that, in Poland, these shall include entities from the public finance sector, research institutes and the National Bank of Poland;
  • when the core activities of the data controller or processor consist of processing operations which, due to their nature, scope and/or purpose, require regular and systematic monitoring of data subjects on a large scale; or
  • when the core activities of the data controller or processor consist of the processing, on a large scale, of special categories of data and personal data relating to criminal convictions and offences.

The Polish supervisory authority should be notified about the appointment of the DPO by the above-mentioned entities within 14 days of the date of designation, and shall be notified about any change of the person appointed as DPO or of his or her personal details. Apart from the above, other controllers are also encouraged to appoint a DPO within their organisations or to have a data protection/privacy expert in place.

Criteria for Authorised Data Collection

As prescribed by the GDPR, controllers may use one of six legal bases that are all equivalent:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the data subject is a party, or for activities that are preparatory to contractual performance;
  • processing is necessary for compliance with a legal obligation (prescribed by the provisions of law) to which the controller is subject;
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller; and
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, under the condition that such legitimate interests are not overridden by the interests or fundamental rights and freedoms of the data subject (obligatory performance of a “balance test”).

It must be noted that public authorities are not allowed to use the criterion of legitimate interest as prescribed by the GDPR.

Application of “Privacy by Design” or “Privacy by Default”

The Polish legislative system still lacks either comprehensive or sector-specific guidelines for the application of the “privacy by design” and “privacy by default” concepts. As it is considered as a process of embedding privacy within the early stage of the creation of a product, service or system, Polish organisations still require more time to fully operationalise these requirements.

Need to Conduct DPIA

The President of the Personal Data Protection Office published a list of the types of data processing operation that require a data protection impact assessment (DPIA). The most important operations that result in the data controller’s obligation to carry out a data protection impact assessment include:

  • evaluation or assessment including profiling and prediction (behavioural analysis) for purposes causing negative legal and physical effects, financial or other inconvenience to individuals, eg, profiling of social media and other applications in order to send commercial information, credit assessment using artificial intelligence algorithms, or insurance companies offering lifestyle related discounts (cigarettes, alcohol, extreme sports, driving style);
  • automated decision-making producing significant legal, financial or similar effects, eg, camera-based speed measurement systems (the system collects information not only about offending vehicles, but about all vehicles in the controlled area), road sections equipped with an electronic toll collection system;
  • systematic large-scale surveillance of publicly available places using recognition elements, features or properties, eg, in the monitoring of people using services in the public space, when using data that goes beyond the data necessary to provide such services, in the means of public transport, offering city bicycle and car rental systems, processing of information obtained through IoT devices (medical bands, smartwatches, etc) and its transmission over the network using mobile devices such as smartphones or tablets;
  • biometric data processing only to identify a physical person or for access control, eg, fingerprints in fitness clubs);
  • genetic data processing, eg, by laboratories, hospitals offering genetic diagnostics, DNA tests, medical analysis;
  • performing analyses, rating or inference based on the analysis of data derived from various sources (combining data collected from different sources);
  • innovative use or application of high tech solutions, eg, utility sellers and distributors (electricity, gas, water, telecommunications services) implementing smart meters, websites processing data from IoT devices such as cameras equipped with localisation functions (GPS), use of remote control devices in the public space and in public places, interactive services and toys dedicated to children.

Given the above guidelines provided by the PPDPO, as well as the fact that numerous interpretations and additional guidelines are available on the Polish market, from the operational and technological perspective organisations are likely to have appropriate processes, methodologies and tools in place to be able to perform the DPIA and to take any follow-up actions.

Data Subject’s Access Rights

Under the GDPR, data subjects are granted certain rights that must be respected by data controllers. Depending on the legal basis on which the given data processing operation is conducted, individuals have the following rights:

  • right to access the data and receive certain information about the processing, including the right to file requests for copies of the processed data;
  • right to rectification of inaccurate data and to have incomplete data completed;
  • right to erasure – to have the data deleted;
  • right to restriction of processing – limitation of the processing activities or limitation of the scope of data involved;
  • right to data portability – right to receive the data or have the data directly transmitted to another data controller in a structured, commonly used and machine-readable format;
  • right to object to certain processing activities conducted by the controller, such as the processing of data based on a legitimate interest; and
  • right to withdraw consent – always and without any further conditions, in cases where the processing is carried out based on the individual’s consent, he or she has the right to withdraw that consent at any time and without any further explanations (the withdrawal shall not affect the lawfulness of any processing conducted prior to the withdrawal, nor shall it affect the processing of other personal information conducted in reliance on lawful processing grounds other than consent).

In addition, the data subject always has the right to lodge a complaint with the supervisory authority.

As part of his or her right to information, an individual should be informed about the above-mentioned rights and should have the filing of requests facilitated by the controller.

The obligation to provide a data subject with the respective information about processing (Article 13 or 14 of the GDPR) and to grant access to data (Article 15 of the GDPR) is limited or excluded by the PPDA with respect to data controllers performing public tasks, in the following main cases:

  • when exercising the right will make it impossible to perform or will significantly hinder the performance of a public task, and the interests or fundamental rights or freedoms of the data subject are not superior to the interests ensuing from the performance of that public task;
  • when exercising the right will infringe the protection of classified information;
  • when the processing of data serves the prevention, detection or prosecution of criminal offences or the execution of criminal penalties; and
  • when the processing of data serves the protection of the state’s economic or financial interests.


In compliance with the minimisation principle, means such as pseudonymisation and anonymisation are recommended by the GDPR to be used as security measures. Due to the nature of anonymisation and the fact that it is irreversible if exercised fully in the data controller’s systems, it may result in the deletion of personal data.

The applicability of anonymisation/pseudonymisation within the IT landscape of organisations on the Polish market is still seen as one of the most significant challenges, especially in those organisations that have many systems in place. The pace at which technology is changing, however, has already allowed many IT solutions in this field to become available on the market. Early adopters are already applying these solutions but anonymisation and pseudonymisation are not yet generally selected as the preferred security measures by organisations in Poland.

As mentioned above, the Polish law ensuring the applicability of the GDPR provides for respective changes and references to the GDPR and GDPR requirements in more than 160 Polish Acts in various sectors. Below, a brief description of a selection of the most important changes is provided:


The financial institutions covered by the provisions of the Banking Law that are controllers of clients’ data have been exempt from the obligation to grant access to data subjects under Article 15 of the GDPR, to the extent necessary for proper fulfilment of the duties related to crime prevention and counteracting money laundering and terrorist financing; moreover, financial institutions have also been allowed to use automated decision-making, including profiling in the process of assessing creditworthiness and in credit risk analysis.

Insurance Activities

An explicit statutory legal basis is now provided in the law applicable to insurance companies, which allows them to process the health data of the individuals covered by the insurance policy, or contained in insurance contracts or statements made before the conclusion of the insurance contract, for the purpose of assessing insurance risk or performing the insurance contract, to the extent necessary given the purpose and type of the insurance policy. As a result of this change, insurance companies will not have to rely on consent as a legal basis, which in these specific circumstances did not meet the requirement of voluntary consent.

Heath Data of Patients

The processors carrying out the processing on behalf of an entity providing health services: i) shall guarantee that the provision of health services will not be disturbed and, in particular, that access to medical information will not be interrupted; and ii) are bound to maintain confidentiality of patient information, even after their death. Moreover, the law sets out the conditions for charging fees for providing copies of medical records (the first copy of medical records should be issued to the patient for free).

Facilitation for Micro-enterprises

Companies with less than ten employees, and whose annual turnover or total assets on the balance sheet do not exceed the equivalent of EUR2 million, may provide the information specified in Article 13 of the GDPR by displaying the relevant information in a visible place on the company's premises or by publishing it on its website.

It must be mentioned that not only Polish law, but also EU law, does not provide sufficient regulation in the light of the growing online marketing and adtech sector.

As mentioned in 1.2 Regulators, the Polish legal framework currently contains two rather old acts implementing the e-Privacy Directive, which are deemed as not fitting the current market reality. Stakeholders in Poland await the e-Privacy Regulation and, more importantly, clear, officially binding, soft law-like regulations in this field.

The first one is the Act of 18 July 2002 on the Rendering of Electronic Services (as amended), which stipulates that sending unsolicited commercial information (such as offers, promotions and direct marketing content) addressed to a specific natural person by electronic means of communication, including but not limited to email, is forbidden (so-called spam). However, at the same time, commercial information is deemed not to be unsolicited if the recipient has given his or her consent to be provided with the said information; in particular, if they have made their electronic address available for this purpose. It is the responsibility of the providers of electronically supplied services (ie, any online services) to ensure that the consent/wilful action of the user for sending them marketing communications has been provided, even such as simple information on the current promotions or offer.

The second one is the Telecommunications Act of 16 July 2004 (as amended), with its Articles 172 and 173 stating that it is forbidden for an entrepreneur to use telecommunications terminal equipment or automatic calling machines for the purposes of direct marketing, unless prior consent has been obtained from the subscriber/end user (which applies not only to natural persons, but also legal persons). Under no condition can the above-mentioned measures be used at the cost of the consumer (so-called unsolicited communications/spam). Furthermore, the same act provides that the storage of data, and access to the data stored on the subscriber’s or end user’s data terminal equipment (ie, the use of cookies), are permitted under the following conditions:

  • the subscriber or end user is duly informed in advance – in an unambiguous, easy and intelligible manner – about the purpose of such storage or access to data and about his or her own ability to determine the conditions of such storage or access to data via software functions;
  • the subscriber or end user, after the receipt of the above-mentioned information, gives his or her consent (such consent must be explicit and clearly distinguishable from other declarations, may be expressed in electronic form and can be easily withdrawn at any time, free of charge); or
  • the data stored, or access to such data, must not result in any configuration changes to the subscriber’s or end user’s data terminal equipment or to the software installed on such equipment.

With respect to the use of cookies and similar technologies for online advertisements, the general requirements of the GDPR and other general Acts should apply in the scope of: i) the legal basis for data processing; ii) requirements for profiling and/or (if applicable) iii) automated decision-making. 

Participants in the online advertising environment, which is growing and developing very fast, are not consistent when it comes to their roles in the online marketing channel (whether controller or processor). There is an urgent need to implement general standards for this sector.

Polish employees, like any other persons, have the right to privacy in the workplace. The ground rules are set by the Polish Constitution, supplemented by the provisions of the Polish Labour Code of 26 June 1974 (as amended) (the PLC) contained in Articles 221-223. In addition, the PPDPO has issued sectoral guidelines: “Data protection in the workplace. Guidebook for employers”. This document also covers issues other than privacy in the workplace (eg, recruitment).

In general, employers are allowed to conduct monitoring of employees (online activity of employees or CCTV), but employees must be aware that they are monitored. The employer must identify the purpose, scope and means used for such surveillance. Depending on the specific situation of the employer, this information should be included in collective bargaining agreements, workplace regulations which should be agreed with employees’ representatives, or in an employer’s announcement.

Even if admissible, there are some restrictions on the monitoring of employees. Regardless of the employer’s regulations, there are certain areas of employees’ activities that must not be monitored – eg, the places where employees may expect privacy like canteens, locker rooms, toilets or trade union premises. Furthermore, monitoring must not breach the right to secrecy of correspondence or any other personal rights of employees. The employer can only process that personal data which is necessary for the purpose of monitoring (ie, privacy by default).

The key factor is to properly inform employees about monitoring through CCTV, information about which premises are being monitored should be provided, and in the case of monitoring of the employees’ internet activity, the employer should inform their employees that such activity is being monitored and whether employees are allowed to use the company’s equipment for private purposes. In any case, the surveillance system in the workplace must allow employees to anonymously lodge complaints (eg, whistle-blowing).

As prescribed by law, the general term for the retention of such data is maximum of three months, unless the recording (CCTV) or information (eg, acquired from online activity) is to be used as evidence in proceedings, whereby the term is extended until the end of such proceedings.

The PPDPO is obliged to collect and examine all evidence before concluding that there has been a violation of the provisions on personal data protection. Any deficiencies in this respect constitute serious misconduct in the proceedings conducted by the PPDPO and may result in the annulment of the PPDPO’s decision by the Administrative Court. In the event of a breach of personal data protection, in addition to ordering specific actions, the PPDPO may, depending on the type of the breach, impose a financial penalty on a private entity of up to:

  • EUR10 million or 2% of the company's total global annual turnover for the preceding financial year (whichever is higher); or
  • EUR20 million or 4% of the company's total global annual turnover for the preceding financial year (whichever is higher).

In the case of public entities, the Polish legislature used the option provided for in the GDPR and limited the amount of the fine to PLN100,000, and in the case of state and local cultural institutions to PLN10,000.

Over the past 12 months, the PPDPO has imposed eight fines with a total amount of approximately EUR960,000. The highest penalty was EUR660,000, and the lowest EUR460. More details on the fines imposed are provided in 5.3 Significant Privacy and Data Protection Regulatory Enforcement or Litigation.

The data subject may also demand protection of his or her data in civil proceedings. For this purpose, the data subject may apply for the protection of personal rights as provided for in the Civil Code, or may file a claim for the violation of the provisions on personal data protection introduced by the GDPR.

The GDPR does not indicate whether class actions for personal data protection are admissible. In Poland, such a possibility is currently unclear due to doubts regarding the interpretation of the provisions of the Act on Pursuing Claims in Group Proceedings.

As mentioned in 1.4 Multilateral and Subnational Issues, Poland transposed Directive (EU) 2016/680, by implementing the Crimes Prevention PPDA.

This Act does not apply to personal data processed by the national intelligence service or in the course of proceedings conducted in juvenile cases, based on the Penal Enforcement Code, Code of Criminal Procedure, Penal Fiscal Code, Petty Offences Procedure Code, or the Act on the Prosecutor's Office and some others. As a result, the scope of application of the Crimes Prevention PPDA is relatively narrow.

The aim of the Crimes Prevention PPDA is to maintain a balance between the right to privacy of individuals and the needs of police and other bodies operating in the areas of preventing and combating crimes. This Act contains requirements regarding confidentiality, security of personal data and granting rights to data subjects, together with the right to file a complaint regarding unlawful processing of personal data, or to report personal data processing breaches to the PPDPO. It also aims to ensure the effective judicial co-operation of the police with other bodies from EU member states in criminal matters.

As regards access to data in other cases, sector-specific Acts apply, which have not been amended, either under the GDPR or Directive (EU) 2016/680. The Police Act of 6 April 1990 determines that the police should have the right to process personal data without the knowledge and consent of the data subject to the extent necessary to perform their statutory duties. Upon the written request of, respectively, the Police Commander-in-Chief, Voivodship (District) Police Commander or an equivalent official, or upon the request of an individual authorised by the above-mentioned persons, personal data controllers such as telecommunications operators and internet service providers should allow free of charge access to the personal data of specific individuals. Where it is important, in certain circumstances, to avoid the need to submit individually justified written requests for access to data each time such access is needed, personal data controllers may conclude a written agreement with the respective law enforcement body on providing access to information collected using teletransmission (so-called permanent connection). Such a solution should only be used when justified by the specific nature or scope of the tasks performed by the organisational units of the police or the activities they conduct, and, additionally, the connection should be duly secured and able to log the identity of the person requesting access and the scope of access provided.

Thus, no prior approval by the court for access to citizens’ data is needed; however, the respective District Courts control the activities of the police based on aggregate semi-annual reports.

When it comes to the intelligence service, namely the Central Anti-Corruption Agency, the same rules apply for acquiring access to data collected using teletransmission. The request should be made by the head of the Agency or its authorised personnel, and permanent connection may be granted, too. In this case, the law does not provide for either prior or post factum control by the courts. For this reason, a plenipotentiary for compliance with data protection legislation of the processing of personal data collected by the Central Anti-Corruption Agency is appointed, who submits annual reports to the Prime Minister, the Parliamentary Commission for Special Services and the President of the Personal Data Protection Office.

As regards the other intelligence services in Poland, namely the Internal Security Agency, no specific rules for acquiring access to data are determined by law. The Agency must rely on its internal procedures and most probably applies very similar standards to those applied by the Police or Central Anti-Corruption Agency as described above.

Taking advantage of the opportunity, provided to EU member states by the GDPR, to exclude its applicability to a certain extent in relation to national security, Poland has decided that the provisions of the GDPR and the PPDA shall not apply to:

  • the processing of personal data by a number of public finance sector entities, to the extent that such processing is necessary for them to perform tasks aimed at ensuring national security, if special provisions stipulate the necessary measures for the protection of the rights and freedoms of the data subject; and
  • the activities of special forces (intelligence service).

As a result, the PPDPO has no power to inspect certain entities of the public finance sector or special forces.

The above, together with the fact that the Crimes Prevention PPDA, referred to above in 3.1 Laws and Standards for Access to Data for Serious Crimes, does not apply to the intelligence service either, means that there are no generally applicable rules at the level of national acts dedicated specifically to the protection of personal data by the intelligence service in Poland. There are, however, general rules applicable to the protection of confidential information or classified information, which naturally also include personal data.

As mentioned in 3.1 Laws and Standards for Access to Data for Serious Crimes, in all the cases where it is justified by the specific nature of the proceedings, including, in particular, the national security purposes of the police, the intelligence services may be granted access to the personal data of individuals, including access to data collected using teletransmission, upon the request of their chiefs/heads/persons so-authorised without prior judicial engagement. The courts exercise post-factum control over the access granted to the police, based on biannual reports provided to them by the police, and an indirect post-factum control of the data collected by the intelligence service.

Having in mind the above, it is of the utmost importance that law enforcement bodies, given the lack of specific detailed provisions and prior approval by the courts, should act in compliance with constitutional rights and civil liberties, according to directives issued by the Polish Constitutional Tribunal, Court of Justice of the European Union and the European Court of Human Rights, with respect to the issues in question.

A request by a foreign government to a Polish data controller to disclose personal data cannot, as such, be fulfilled. Unlike Polish law enforcement bodies, which have been provided with this right in Polish law, foreign governments and foreign law enforcement bodies should follow standard rules of international co-operation between the states and state institutions based on either bilateral agreements with Poland or EU level acts on co-operation between member states. A transfer of personal data by the controller bypassing such international procedures will be deemed as an unlawful transfer of personal data.

Upon the initiative of state-owned entities, a Public Cloud Operator (Operator Chmury Krajowej) was established. This company develops services related to data processing and storage, dedicated to big Polish enterprises, mostly from regulated sectors, public administration and education. The strategic partner of this project is one of the big American cloud service providers. Therefore, the Polish government has announced that it will strive to conclude a CLOUD Act (the Clarifying Lawful Overseas Use of Data) agreement with the USA in order to eliminate the risk of uncontrolled American access to the data of Polish companies stored by the Polish Public Cloud Operator and/or apply the reciprocity rule in this respect. Further steps to negotiate and sign such an agreement are awaited.

There are some conflicts between the Polish Ombudsman and the representatives of the Polish legislature and government with respect to the correct transposition of the latest Directive (EU) 2016/680.

The problem concerns the notion of national security, which is very broad, and the intelligence service, as its statutory activities are not only protection of national security. Therefore, the arguments of the Polish Ombudsman are that the exemption from requirements having to do with the processing of personal data by the intelligence service as a whole is not justified. At the same time, the language of the Crimes Prevention PPDA gives some room for interpretation allowing its applicability to activities that are not connected with national security. Future jurisprudence should hopefully eliminate the discrepancies and doubts in this respect.

As regards legislation on access to citizens’ data by the police and intelligence service, there is a debate over whether a broad and relatively easy access to telecommunications data is justified. The opponents of this legislation point out that there is a significant risk of serious abuse due to the fact that law enforcement bodies can, for example, accurately reproduce various aspects of a citizen's private life, collect data on his or her lifestyle, views, preferences or inclinations.

International data transfers of personal information to a third country outside the European Economic Area (EEA) (ie one that may not provide an adequate level of protection according to EU standards) are governed by the GDPR. Polish legislation does not provide any additional requirements other than those arising from the GDPR. Relevant authorities have also confirmed the applicability of the available GDPR scenarios.

Primarily, data transfers to an entity located in a country outside the EEA without further specific authorisation may take place in a situation where a so-called adequacy decision has been issued by the European Commission in accordance with Article 45 of the GDPR. In such a decision, the European Commission may decide that a third country, a territory, or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection. Currently, the countries covered by the adequacy decision are, for example, Andorra, Argentina, Canada (with some exceptions), Israel (with respect to electronically processed data only), Japan, Jersey, New Zealand and Switzerland. Adequacy talks are ongoing with South Korea.

Apart from the above, a transfer of personal information outside the EEA is possible if the following means are in place:

  • binding corporate rules;
  • standard contractual clauses (either adopted by the Commission or adopted by local authorities and approved by the Commission); and
  • legally binding and enforceable instrument between public authorities or bodies (eg, Privacy Shield).

Notifications or approvals to transfer data internationally are only required when the organisation would like to obtain an approval of, for example, its binding corporate rules. When data controllers are using a mechanism adopted or approved by the Commission, additional notification or approvals are not required.

As a primary rule, the personal data of individuals from the EU should be processed in the EU. The processing of data outside the EEA by an establishment of a controller or a processor in the EEA requires compliance with the provisions of the GDPR regarding transfer to third countries, as specified in 4.2 Mechanisms that Apply to International Data Transfers.

A controller or a processor not established in the EEA but processing personal data of data subjects who are within the EEA (offering goods or services to such data subjects in the EEA or monitoring their behaviour as far as their behaviour takes place within the EEA) should also apply the GDPR requirements, including the requirements for transfers to third countries.

Currently, since the GDPR is not applicable in this area, personal data controllers are not required to report to the government or to supervisory authorities on the use of certain technical security measures or technical details such as software code or algorithms. It may, however, be the case that the competent supervisory authority approving binding corporate rules in accordance with the consistency mechanism under Article 47 of the GDPR will require the controller to have a description of the technical details of the applicant’s infrastructure.

Please refer to 3.3 Invoking a Foreign Government.

Transfer of personal data to third countries requires compliance with the provisions of the GDPR as described in the sections above, mainly 4.2 Mechanisms that Apply to International Data Transfers. In case of lack of compliance with these provisions, such a transfer is impermissible and illegal under the GDPR.

In Poland, it has been accepted that specific issues regarding the use of modern solutions and technologies such as big data analytics, automated decision-making, profiling, the IoT, biometric data and geolocation are regulated in the regulations of individual sectors. In practice, this means that it is necessary to build use cases to determine legal requirements in this area. Only on such a basis can an analysis be carried out. The analysis should consist, in the first step, in identifying the legal acts applicable to a given use case. However, the GDPR contains general requirements for the protection of personal data that should be followed.

The degree of regulation of modern solutions and technologies in a given sector depends on two factors: first – the real need to use them in a given sector and second – doubts and risks associated with their use. For example, in the Banking Law, as a result of the activities of an industry organisation, provisions were introduced to enable financial institutions to make only automated decisions to assess creditworthiness and analyse credit risk. These provisions also include safeguards for the protection of personal data. It is necessary to ensure that the person to whom the automated decision refers has been guaranteed the following rights: the right to receive appropriate explanations of the grounds for the decision taken; the right to obtain human intervention in order to take a re-decision; the right to express his or her position. The purpose of these solutions is to prevent the use of "black box" solutions, subjecting the decisions solely to an algorithm, and to provide the data subject with a response in the event that he or she considers that relevant circumstances were not taken into account in the course of automated decision-making. In addition, the use of specific categories of personal data in automated decisions has been banned – eg, health, sexuality or sexual orientation data.

The recommendations issued by the Polish Financial Supervision Authority, and specifically Recommendation D of January 2013 dedicated to financial institutions, are an example of regulation of the issues related to so-called "Digital Governance". Recommendation D aims to present the supervisory authority’s expectations regarding careful and stable management of information technology and the security of the IT environment. The document contains twenty-two recommendations, which are divided into the following areas:

  • strategy and organisation of information technology and the IT environment security areas;
  • development of the IT environment;
  • maintenance and operation of the IT environment; and
  • IT environment security management.

The descriptions and comments contained therein, together with individual recommendations, should be treated as a set of good practices, which should be applied in accordance with the principle of proportionality. This means that the use of these practices should depend, among other things, on how much they fit the specific features and risk profile of the entity, the specific legal conditions in which the entity operates and the characteristics of its IT environment, as well as on the ratio of the costs of their implementation to the resulting benefits (also from the perspective of the entity's customers’ safety).

Financial penalties imposed by the PPDPO arouse the greatest interest of the Polish public and, in particular, privacy professionals. The PPDPO has imposed fines in the following cases:

  • Amount of the penalty: EUR660,000; entity punished: a company operating online stores; infringement: insufficient organisational and technical safeguards.
  • Amount of the penalty: EUR220,000; entity punished: data broker; infringement: failure to comply with the obligation to provide the necessary information to the data subject.
  • Amount of the penalty: EUR47,000; entity punished: a company from the advertising industry; infringement: lack of easy and effective withdrawal of consent and ability to exercise the right to be forgotten, processing of data of persons who are not customers without a legal basis.
  • Amount of the penalty: EUR13,000; entity punished: sports association; infringement: publishing too wide a range of personal data online.
  • Amount of the penalty: EUR9,327; entity punished: city hall; infringement: lack of data processing agreements, lack of adequate policies for data retention and deletion, failure to carry out risk analysis, failure to implement appropriate technical and organisational measures to secure data, deficiencies in the register of processing activities.
  • Amount of the penalty: EUR7,000; entity punished: company dealing with protection of property and people.
  • Amount of the penalty: EUR1,900; entity punished: real estate management company.
  • Amount of the penalty: EUR460; entity punished: housing community.

Issues relating to applicable legal standards in the context of regulatory enforcement are discussed in 1.3 Administration and Enforcement Process.

Matters relating to private litigation involving privacy or data protection are discussed in 2.5 Enforcement and Litigation.

One of the basic principles introduced by the GDPR is the principle of accountability. It places an obligation on organisations to demonstrate that they comply with the provisions of the law. The translation of the accountability principle into the process of entering into corporate transactions means that due diligence must also include an analysis of personal data protection in the acquired entity or group of entities.

Due diligence in the area of personal data protection is most often based on information and documents obtained from the entity covered by the review. The results of the due diligence are included in the due diligence report along with the identification of the risks related to specific issues.

One of the key principles of the GDPR and the existing data protection laws is transparency towards data subjects.

Furthermore, some other laws also impose similar requirements, namely the Act of 5 July 2018 on the National Cybersecurity System, which is a transposition of the Network and Information Security Directive – Directive (EU) 2016/1148 of the European Parliament and of the Council. This Directive imposes an obligation to provide the user of essential services with access to knowledge that will enable him or her to understand cybersecurity threats and use effective methods of protection against them within the scope of the service being provided. This obligation can be fulfilled by publishing information on the company website and it applies to operators of essential services and public entities specified in the Act.

There are no major issues of data protection and privacy in Poland not already covered in this chapter.

Ernst & Young Law Tałasiewicz, Zakrzewska i Wspólnicy sp.k.

Rondo ONZ 1
00-124 Warszawa

+48 22 557 70 00

+48 22 557 70 01
Author Business Card

Law and Practice


Ernst & Young Law Tałasiewicz, Zakrzewska i Wspólnicy sp.k. works alongside other EY professionals, including those specialising in assurance, tax, transactions and advisory. Serving across borders, EY's sector-focused, multidisciplinary approach means it offers integrated, broad and pertinent advice. The legal team provides holistic guidance around strategic business decisions, reducing the gap between business advisers and legal counsel. Working with other EY service lines, EY Law is able to build interdisciplinary teams capable of leading projects requiring simultaneous consideration of many aspects – from legal, through risk, ending on architecture and implementation. Located in Warsaw, EY wavespace (a global network of growth and innovation centres) with OT/IoT Security Laboratory, enables co-operation leading to the development of ready-made solutions and knowledge transfer. wavespace locations feature a shared methodology and platform that combine EY’s experience in disruptive technologies such as artificial intelligence, robotics process automation (RPA), blockchain, data analytics, digital, customer experience and cybersecurity, with EY’s deep industry domain and regulatory experience. Special thanks to Marcin Grott from EY Law for his input to this chapter.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.