The right to privacy is guaranteed in Article 47 of the Constitution of the Republic of Poland of 2 April 1997 (the Polish Constitution). The right to the protection of personal data is a specialised measure to protect privacy, specified in Article 51 of the Polish Constitution.
Concretisation of the constitutionally guaranteed right to the protection of personal data in Poland is to be found in specific EU and Polish regulations, which are: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the GDPR), and the Act of 10 May 2018 on the Protection of Personal Data Act (the PPDA). The latter regulates, among other things, the organisation and functioning of the Personal Data Protection Office and the role of the President of the Personal Data Protection Office (the PPDPO). Moreover, the Act of 21 February 2019, on amendments to different Acts in connection with ensuring the applicability of the GDPR, provides for respective changes and references to the GDPR and GDPR requirements in 162 Polish Acts in various sectors.
In the event of a breach of the provisions on personal data protection, there is a risk of administrative liability (including a financial penalty) as well as of civil and criminal liability. The data subject has the right to choose the means of protecting his or her personal data: civil (proceedings before the court) or administrative (proceedings before the PPDPO). Both methods are independent of each other and the data subject is also entitled to choose to use both. However, a claim for compensation for damages can only be made in civil proceedings against the data controller in breach. In contrast, criminal liability is additional to administrative and civil liability. Collective entities (eg, a company) are not subject to criminal liability, unlike natural persons, who are individually responsible for committing a criminal act.
The PPDPO is the authority competent in matters of personal data protection. The PPDPO initiates proceedings in the event of a complaint about a breach of personal data protection regulations by a data controller; or on his or her own initiative, as a result of an inspection or obtaining information about irregularities. The inspections carried out by the PPDPO may consist in obtaining written explanations as well as direct inspections carried out by authorised employees of the Personal Data Protection Office. In addition to ad hoc controls, the PPDPO also carries out scheduled inspections, the subject of which is announced at the beginning of each calendar year.
To the extent that personal data protection issues relate to electronic communications, the President of the Office of Electronic Communications is also competent. However, in the event that personal data processing may constitute a practice infringing collective consumer interests, the President of the Office for Competition and Consumer Protection is also competent.
The proceedings to deal with a breach of regulations concerning personal data protection are conducted by the PPDPO based on the provisions of the PPDA. In matters not covered by the PPDA, the Code of Administrative Procedure shall apply. The proceedings are single-instance and the PPDPO’s decision is final and terminates the proceedings at the level of administrative bodies. The PPDPO may impose an administrative fine in its decision. If an entity does not agree with the decision, it is entitled to file a complaint with an Administrative Court within 30 days of the decision being served. Subsequently, the party has the right to appeal against the decision of an Administrative Court of first instance to an Administrative Court of second instance.
In Poland, which is a member state of the EU, the provisions of the GDPR are directly applicable. With respect to data processing in electronic communications, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (e-Privacy Directive) is applicable. In Poland, the provisions of this Directive have been implemented by the Act of 18 July 2002 on the Rendering of Electronic Services (as amended) and the Telecommunications Act of 16 July 2004 (as amended). Currently, work is underway on the e-Privacy Regulation, which will replace the e-Privacy Directive. As regards law enforcement authorities, Poland has transposed Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, by passing the Act of 14 December 2018 on the Protection of Personal Data Processed in Connection with the Prevention and Combating of Crimes (Crimes Prevention PPDA).
As for non-governmental organisations (NGOs), attention should be paid to the activities of the Panoptykon Foundation. It is a Polish NGO whose goal is to protect fundamental freedoms against threats associated with the development of modern techniques of supervision over society. Particularly noteworthy are its activities in the last year on behavioural advertising, which included the preparation of a report on online advertising and the filing of complaints with the PPDPO about online advertising tracking ecosystems. Similar complaints have been filed by organisations in fifteen EU countries.
Industry organisations operate very well in the context of personal data protection. They provide opinions regarding the law and propose changes to it. They create sectoral guidelines (eg, codes of conduct) and also direct educational activities. Examples of such organisations include: the Polish Bank Association, the Polish Insurance Association, the Lewiatan Confederation, the Poland Internet Industry Employers’ Association (IAB), and the Polish Marketing Association (SMB).
In Poland, there are also organisations of privacy professionals dealing with personal data protection. The following should be mentioned as prominent examples of such organisations: the Association of Data Protection Officers (SABI), the Association of Personal Data Protection Officers, and the Association of Data Protection Practitioners.
Legislation on personal data protection has existed in Poland since 1997. However, due to the lack of financial penalties provided for in the previous Act, the requirements included therein were not strictly observed. As a result of the introduction of financial penalties by the GDPR, the importance of personal data protection requirements in Poland has increased significantly. Currently, the so-called second wave of the adoption of GDPR requirements can be seen. This is due to the fact that fines are imposed by the PPDPO as well as other EU authorities. Although the PPDPO does not impose fines as often as the most active data protection authorities in the EU, the penalties imposed are dissuasive.
The adoption of the Act ensuring the applicability of the GDPR is particularly worth mentioning. Taking advantage of the possibility provided for this in the GDPR, the Polish legislature has clarified or restricted the application of the provisions of this Regulation in 162 sectoral Acts. The implemented solutions have eliminated a significant number of the doubts concerning the application of the GDPR in particular sectors.
The attention of privacy professionals is mainly focused on the recent decisions of the PPDPO and his approach to the respective GDPR provisions. Final decision is currently expected in the matter of the interpretation of the concept of disproportionate effort, which exempts data controllers from the obligation to comply with Article 14 (1) and (2) of the GDPR, which contains a requirement to provide information to the data subject. Recently, a fine of EUR220,000 was imposed by the PPDPO. The Administrative Court of first instance, in its judgment of 11 December 2019, stated that a disproportionate effort should not be understood as either the organisational or financial cost of the fulfilment of a fully enforceable obligation under the aforementioned provision. The decision is not yet final and binding, and it is currently subject to consideration by the Court of second instance.
As mentioned in 1.1 Laws and 1.2 Regulators, currently, the general laws applicable to all sectors regulating personal data protection and privacy matters are the GDPR and the PPDA.
There are also soft laws such as guidelines and announcements published by the Polish data protection authority among others, in the following fields:
In addition, four codes of conduct have been filed by the relevant stakeholders with the Personal Data Protection Office in the following areas:
The above-mentioned codes of conduct now await approval by the Polish supervisory authority, and it is known that some other groups of stakeholders in different sectors are currently working on their codes of conduct.
Requirement for Appointment of Privacy or Data Protection Officers
Under the GDPR, it is obligatory to appoint a Data Protection Officer (DPO) in the following cases:
The Polish supervisory authority should be notified about the appointment of the DPO by the above-mentioned entities within 14 days of the date of designation, and shall be notified about any change of the person appointed as DPO or of his or her personal details. Apart from the above, other controllers are also encouraged to appoint a DPO within their organisations or to have a data protection/privacy expert in place.
Criteria for Authorised Data Collection
As prescribed by the GDPR, controllers may use one of six legal bases that are all equivalent:
It must be noted that public authorities are not allowed to use the criterion of legitimate interest as prescribed by the GDPR.
Application of “Privacy by Design” or “Privacy by Default”
The Polish legislative system still lacks either comprehensive or sector-specific guidelines for the application of the “privacy by design” and “privacy by default” concepts. As it is considered as a process of embedding privacy within the early stage of the creation of a product, service or system, Polish organisations still require more time to fully operationalise these requirements.
Need to Conduct DPIA
The President of the Personal Data Protection Office published a list of the types of data processing operation that require a data protection impact assessment (DPIA). The most important operations that result in the data controller’s obligation to carry out a data protection impact assessment include:
Given the above guidelines provided by the PPDPO, as well as the fact that numerous interpretations and additional guidelines are available on the Polish market, from the operational and technological perspective organisations are likely to have appropriate processes, methodologies and tools in place to be able to perform the DPIA and to take any follow-up actions.
Data Subject’s Access Rights
Under the GDPR, data subjects are granted certain rights that must be respected by data controllers. Depending on the legal basis on which the given data processing operation is conducted, individuals have the following rights:
In addition, the data subject always has the right to lodge a complaint with the supervisory authority.
As part of his or her right to information, an individual should be informed about the above-mentioned rights and should have the filing of requests facilitated by the controller.
The obligation to provide a data subject with the respective information about processing (Article 13 or 14 of the GDPR) and to grant access to data (Article 15 of the GDPR) is limited or excluded by the PPDA with respect to data controllers performing public tasks, in the following main cases:
In compliance with the minimisation principle, means such as pseudonymisation and anonymisation are recommended by the GDPR to be used as security measures. Due to the nature of anonymisation and the fact that it is irreversible if exercised fully in the data controller’s systems, it may result in the deletion of personal data.
The applicability of anonymisation/pseudonymisation within the IT landscape of organisations on the Polish market is still seen as one of the most significant challenges, especially in those organisations that have many systems in place. The pace at which technology is changing, however, has already allowed many IT solutions in this field to become available on the market. Early adopters are already applying these solutions but anonymisation and pseudonymisation are not yet generally selected as the preferred security measures by organisations in Poland.
As mentioned above, the Polish law ensuring the applicability of the GDPR provides for respective changes and references to the GDPR and GDPR requirements in more than 160 Polish Acts in various sectors. Below, a brief description of a selection of the most important changes is provided:
The financial institutions covered by the provisions of the Banking Law that are controllers of clients’ data have been exempt from the obligation to grant access to data subjects under Article 15 of the GDPR, to the extent necessary for proper fulfilment of the duties related to crime prevention and counteracting money laundering and terrorist financing; moreover, financial institutions have also been allowed to use automated decision-making, including profiling in the process of assessing creditworthiness and in credit risk analysis.
An explicit statutory legal basis is now provided in the law applicable to insurance companies, which allows them to process the health data of the individuals covered by the insurance policy, or contained in insurance contracts or statements made before the conclusion of the insurance contract, for the purpose of assessing insurance risk or performing the insurance contract, to the extent necessary given the purpose and type of the insurance policy. As a result of this change, insurance companies will not have to rely on consent as a legal basis, which in these specific circumstances did not meet the requirement of voluntary consent.
Heath Data of Patients
The processors carrying out the processing on behalf of an entity providing health services: i) shall guarantee that the provision of health services will not be disturbed and, in particular, that access to medical information will not be interrupted; and ii) are bound to maintain confidentiality of patient information, even after their death. Moreover, the law sets out the conditions for charging fees for providing copies of medical records (the first copy of medical records should be issued to the patient for free).
Facilitation for Micro-enterprises
Companies with less than ten employees, and whose annual turnover or total assets on the balance sheet do not exceed the equivalent of EUR2 million, may provide the information specified in Article 13 of the GDPR by displaying the relevant information in a visible place on the company's premises or by publishing it on its website.
It must be mentioned that not only Polish law, but also EU law, does not provide sufficient regulation in the light of the growing online marketing and adtech sector.
As mentioned in 1.2 Regulators, the Polish legal framework currently contains two rather old acts implementing the e-Privacy Directive, which are deemed as not fitting the current market reality. Stakeholders in Poland await the e-Privacy Regulation and, more importantly, clear, officially binding, soft law-like regulations in this field.
The first one is the Act of 18 July 2002 on the Rendering of Electronic Services (as amended), which stipulates that sending unsolicited commercial information (such as offers, promotions and direct marketing content) addressed to a specific natural person by electronic means of communication, including but not limited to email, is forbidden (so-called spam). However, at the same time, commercial information is deemed not to be unsolicited if the recipient has given his or her consent to be provided with the said information; in particular, if they have made their electronic address available for this purpose. It is the responsibility of the providers of electronically supplied services (ie, any online services) to ensure that the consent/wilful action of the user for sending them marketing communications has been provided, even such as simple information on the current promotions or offer.
Participants in the online advertising environment, which is growing and developing very fast, are not consistent when it comes to their roles in the online marketing channel (whether controller or processor). There is an urgent need to implement general standards for this sector.
Polish employees, like any other persons, have the right to privacy in the workplace. The ground rules are set by the Polish Constitution, supplemented by the provisions of the Polish Labour Code of 26 June 1974 (as amended) (the PLC) contained in Articles 221-223. In addition, the PPDPO has issued sectoral guidelines: “Data protection in the workplace. Guidebook for employers”. This document also covers issues other than privacy in the workplace (eg, recruitment).
In general, employers are allowed to conduct monitoring of employees (online activity of employees or CCTV), but employees must be aware that they are monitored. The employer must identify the purpose, scope and means used for such surveillance. Depending on the specific situation of the employer, this information should be included in collective bargaining agreements, workplace regulations which should be agreed with employees’ representatives, or in an employer’s announcement.
Even if admissible, there are some restrictions on the monitoring of employees. Regardless of the employer’s regulations, there are certain areas of employees’ activities that must not be monitored – eg, the places where employees may expect privacy like canteens, locker rooms, toilets or trade union premises. Furthermore, monitoring must not breach the right to secrecy of correspondence or any other personal rights of employees. The employer can only process that personal data which is necessary for the purpose of monitoring (ie, privacy by default).
The key factor is to properly inform employees about monitoring through CCTV, information about which premises are being monitored should be provided, and in the case of monitoring of the employees’ internet activity, the employer should inform their employees that such activity is being monitored and whether employees are allowed to use the company’s equipment for private purposes. In any case, the surveillance system in the workplace must allow employees to anonymously lodge complaints (eg, whistle-blowing).
As prescribed by law, the general term for the retention of such data is maximum of three months, unless the recording (CCTV) or information (eg, acquired from online activity) is to be used as evidence in proceedings, whereby the term is extended until the end of such proceedings.
The PPDPO is obliged to collect and examine all evidence before concluding that there has been a violation of the provisions on personal data protection. Any deficiencies in this respect constitute serious misconduct in the proceedings conducted by the PPDPO and may result in the annulment of the PPDPO’s decision by the Administrative Court. In the event of a breach of personal data protection, in addition to ordering specific actions, the PPDPO may, depending on the type of the breach, impose a financial penalty on a private entity of up to:
In the case of public entities, the Polish legislature used the option provided for in the GDPR and limited the amount of the fine to PLN100,000, and in the case of state and local cultural institutions to PLN10,000.
Over the past 12 months, the PPDPO has imposed eight fines with a total amount of approximately EUR960,000. The highest penalty was EUR660,000, and the lowest EUR460. More details on the fines imposed are provided in 5.3 Significant Privacy and Data Protection Regulatory Enforcement or Litigation.
The data subject may also demand protection of his or her data in civil proceedings. For this purpose, the data subject may apply for the protection of personal rights as provided for in the Civil Code, or may file a claim for the violation of the provisions on personal data protection introduced by the GDPR.
The GDPR does not indicate whether class actions for personal data protection are admissible. In Poland, such a possibility is currently unclear due to doubts regarding the interpretation of the provisions of the Act on Pursuing Claims in Group Proceedings.
As mentioned in 1.4 Multilateral and Subnational Issues, Poland transposed Directive (EU) 2016/680, by implementing the Crimes Prevention PPDA.
This Act does not apply to personal data processed by the national intelligence service or in the course of proceedings conducted in juvenile cases, based on the Penal Enforcement Code, Code of Criminal Procedure, Penal Fiscal Code, Petty Offences Procedure Code, or the Act on the Prosecutor's Office and some others. As a result, the scope of application of the Crimes Prevention PPDA is relatively narrow.
The aim of the Crimes Prevention PPDA is to maintain a balance between the right to privacy of individuals and the needs of police and other bodies operating in the areas of preventing and combating crimes. This Act contains requirements regarding confidentiality, security of personal data and granting rights to data subjects, together with the right to file a complaint regarding unlawful processing of personal data, or to report personal data processing breaches to the PPDPO. It also aims to ensure the effective judicial co-operation of the police with other bodies from EU member states in criminal matters.
As regards access to data in other cases, sector-specific Acts apply, which have not been amended, either under the GDPR or Directive (EU) 2016/680. The Police Act of 6 April 1990 determines that the police should have the right to process personal data without the knowledge and consent of the data subject to the extent necessary to perform their statutory duties. Upon the written request of, respectively, the Police Commander-in-Chief, Voivodship (District) Police Commander or an equivalent official, or upon the request of an individual authorised by the above-mentioned persons, personal data controllers such as telecommunications operators and internet service providers should allow free of charge access to the personal data of specific individuals. Where it is important, in certain circumstances, to avoid the need to submit individually justified written requests for access to data each time such access is needed, personal data controllers may conclude a written agreement with the respective law enforcement body on providing access to information collected using teletransmission (so-called permanent connection). Such a solution should only be used when justified by the specific nature or scope of the tasks performed by the organisational units of the police or the activities they conduct, and, additionally, the connection should be duly secured and able to log the identity of the person requesting access and the scope of access provided.
Thus, no prior approval by the court for access to citizens’ data is needed; however, the respective District Courts control the activities of the police based on aggregate semi-annual reports.
When it comes to the intelligence service, namely the Central Anti-Corruption Agency, the same rules apply for acquiring access to data collected using teletransmission. The request should be made by the head of the Agency or its authorised personnel, and permanent connection may be granted, too. In this case, the law does not provide for either prior or post factum control by the courts. For this reason, a plenipotentiary for compliance with data protection legislation of the processing of personal data collected by the Central Anti-Corruption Agency is appointed, who submits annual reports to the Prime Minister, the Parliamentary Commission for Special Services and the President of the Personal Data Protection Office.
As regards the other intelligence services in Poland, namely the Internal Security Agency, no specific rules for acquiring access to data are determined by law. The Agency must rely on its internal procedures and most probably applies very similar standards to those applied by the Police or Central Anti-Corruption Agency as described above.
Taking advantage of the opportunity, provided to EU member states by the GDPR, to exclude its applicability to a certain extent in relation to national security, Poland has decided that the provisions of the GDPR and the PPDA shall not apply to:
As a result, the PPDPO has no power to inspect certain entities of the public finance sector or special forces.
The above, together with the fact that the Crimes Prevention PPDA, referred to above in 3.1 Laws and Standards for Access to Data for Serious Crimes, does not apply to the intelligence service either, means that there are no generally applicable rules at the level of national acts dedicated specifically to the protection of personal data by the intelligence service in Poland. There are, however, general rules applicable to the protection of confidential information or classified information, which naturally also include personal data.
As mentioned in 3.1 Laws and Standards for Access to Data for Serious Crimes, in all the cases where it is justified by the specific nature of the proceedings, including, in particular, the national security purposes of the police, the intelligence services may be granted access to the personal data of individuals, including access to data collected using teletransmission, upon the request of their chiefs/heads/persons so-authorised without prior judicial engagement. The courts exercise post-factum control over the access granted to the police, based on biannual reports provided to them by the police, and an indirect post-factum control of the data collected by the intelligence service.
Having in mind the above, it is of the utmost importance that law enforcement bodies, given the lack of specific detailed provisions and prior approval by the courts, should act in compliance with constitutional rights and civil liberties, according to directives issued by the Polish Constitutional Tribunal, Court of Justice of the European Union and the European Court of Human Rights, with respect to the issues in question.
A request by a foreign government to a Polish data controller to disclose personal data cannot, as such, be fulfilled. Unlike Polish law enforcement bodies, which have been provided with this right in Polish law, foreign governments and foreign law enforcement bodies should follow standard rules of international co-operation between the states and state institutions based on either bilateral agreements with Poland or EU level acts on co-operation between member states. A transfer of personal data by the controller bypassing such international procedures will be deemed as an unlawful transfer of personal data.
Upon the initiative of state-owned entities, a Public Cloud Operator (Operator Chmury Krajowej) was established. This company develops services related to data processing and storage, dedicated to big Polish enterprises, mostly from regulated sectors, public administration and education. The strategic partner of this project is one of the big American cloud service providers. Therefore, the Polish government has announced that it will strive to conclude a CLOUD Act (the Clarifying Lawful Overseas Use of Data) agreement with the USA in order to eliminate the risk of uncontrolled American access to the data of Polish companies stored by the Polish Public Cloud Operator and/or apply the reciprocity rule in this respect. Further steps to negotiate and sign such an agreement are awaited.
There are some conflicts between the Polish Ombudsman and the representatives of the Polish legislature and government with respect to the correct transposition of the latest Directive (EU) 2016/680.
The problem concerns the notion of national security, which is very broad, and the intelligence service, as its statutory activities are not only protection of national security. Therefore, the arguments of the Polish Ombudsman are that the exemption from requirements having to do with the processing of personal data by the intelligence service as a whole is not justified. At the same time, the language of the Crimes Prevention PPDA gives some room for interpretation allowing its applicability to activities that are not connected with national security. Future jurisprudence should hopefully eliminate the discrepancies and doubts in this respect.
As regards legislation on access to citizens’ data by the police and intelligence service, there is a debate over whether a broad and relatively easy access to telecommunications data is justified. The opponents of this legislation point out that there is a significant risk of serious abuse due to the fact that law enforcement bodies can, for example, accurately reproduce various aspects of a citizen's private life, collect data on his or her lifestyle, views, preferences or inclinations.
International data transfers of personal information to a third country outside the European Economic Area (EEA) (ie one that may not provide an adequate level of protection according to EU standards) are governed by the GDPR. Polish legislation does not provide any additional requirements other than those arising from the GDPR. Relevant authorities have also confirmed the applicability of the available GDPR scenarios.
Primarily, data transfers to an entity located in a country outside the EEA without further specific authorisation may take place in a situation where a so-called adequacy decision has been issued by the European Commission in accordance with Article 45 of the GDPR. In such a decision, the European Commission may decide that a third country, a territory, or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection. Currently, the countries covered by the adequacy decision are, for example, Andorra, Argentina, Canada (with some exceptions), Israel (with respect to electronically processed data only), Japan, Jersey, New Zealand and Switzerland. Adequacy talks are ongoing with South Korea.
Apart from the above, a transfer of personal information outside the EEA is possible if the following means are in place:
Notifications or approvals to transfer data internationally are only required when the organisation would like to obtain an approval of, for example, its binding corporate rules. When data controllers are using a mechanism adopted or approved by the Commission, additional notification or approvals are not required.
As a primary rule, the personal data of individuals from the EU should be processed in the EU. The processing of data outside the EEA by an establishment of a controller or a processor in the EEA requires compliance with the provisions of the GDPR regarding transfer to third countries, as specified in 4.2 Mechanisms that Apply to International Data Transfers.
A controller or a processor not established in the EEA but processing personal data of data subjects who are within the EEA (offering goods or services to such data subjects in the EEA or monitoring their behaviour as far as their behaviour takes place within the EEA) should also apply the GDPR requirements, including the requirements for transfers to third countries.
Currently, since the GDPR is not applicable in this area, personal data controllers are not required to report to the government or to supervisory authorities on the use of certain technical security measures or technical details such as software code or algorithms. It may, however, be the case that the competent supervisory authority approving binding corporate rules in accordance with the consistency mechanism under Article 47 of the GDPR will require the controller to have a description of the technical details of the applicant’s infrastructure.
Please refer to 3.3 Invoking a Foreign Government.
Transfer of personal data to third countries requires compliance with the provisions of the GDPR as described in the sections above, mainly 4.2 Mechanisms that Apply to International Data Transfers. In case of lack of compliance with these provisions, such a transfer is impermissible and illegal under the GDPR.
In Poland, it has been accepted that specific issues regarding the use of modern solutions and technologies such as big data analytics, automated decision-making, profiling, the IoT, biometric data and geolocation are regulated in the regulations of individual sectors. In practice, this means that it is necessary to build use cases to determine legal requirements in this area. Only on such a basis can an analysis be carried out. The analysis should consist, in the first step, in identifying the legal acts applicable to a given use case. However, the GDPR contains general requirements for the protection of personal data that should be followed.
The degree of regulation of modern solutions and technologies in a given sector depends on two factors: first – the real need to use them in a given sector and second – doubts and risks associated with their use. For example, in the Banking Law, as a result of the activities of an industry organisation, provisions were introduced to enable financial institutions to make only automated decisions to assess creditworthiness and analyse credit risk. These provisions also include safeguards for the protection of personal data. It is necessary to ensure that the person to whom the automated decision refers has been guaranteed the following rights: the right to receive appropriate explanations of the grounds for the decision taken; the right to obtain human intervention in order to take a re-decision; the right to express his or her position. The purpose of these solutions is to prevent the use of "black box" solutions, subjecting the decisions solely to an algorithm, and to provide the data subject with a response in the event that he or she considers that relevant circumstances were not taken into account in the course of automated decision-making. In addition, the use of specific categories of personal data in automated decisions has been banned – eg, health, sexuality or sexual orientation data.
The recommendations issued by the Polish Financial Supervision Authority, and specifically Recommendation D of January 2013 dedicated to financial institutions, are an example of regulation of the issues related to so-called "Digital Governance". Recommendation D aims to present the supervisory authority’s expectations regarding careful and stable management of information technology and the security of the IT environment. The document contains twenty-two recommendations, which are divided into the following areas:
The descriptions and comments contained therein, together with individual recommendations, should be treated as a set of good practices, which should be applied in accordance with the principle of proportionality. This means that the use of these practices should depend, among other things, on how much they fit the specific features and risk profile of the entity, the specific legal conditions in which the entity operates and the characteristics of its IT environment, as well as on the ratio of the costs of their implementation to the resulting benefits (also from the perspective of the entity's customers’ safety).
Financial penalties imposed by the PPDPO arouse the greatest interest of the Polish public and, in particular, privacy professionals. The PPDPO has imposed fines in the following cases:
Issues relating to applicable legal standards in the context of regulatory enforcement are discussed in 1.3 Administration and Enforcement Process.
Matters relating to private litigation involving privacy or data protection are discussed in 2.5 Enforcement and Litigation.
One of the basic principles introduced by the GDPR is the principle of accountability. It places an obligation on organisations to demonstrate that they comply with the provisions of the law. The translation of the accountability principle into the process of entering into corporate transactions means that due diligence must also include an analysis of personal data protection in the acquired entity or group of entities.
Due diligence in the area of personal data protection is most often based on information and documents obtained from the entity covered by the review. The results of the due diligence are included in the due diligence report along with the identification of the risks related to specific issues.
One of the key principles of the GDPR and the existing data protection laws is transparency towards data subjects.
Furthermore, some other laws also impose similar requirements, namely the Act of 5 July 2018 on the National Cybersecurity System, which is a transposition of the Network and Information Security Directive – Directive (EU) 2016/1148 of the European Parliament and of the Council. This Directive imposes an obligation to provide the user of essential services with access to knowledge that will enable him or her to understand cybersecurity threats and use effective methods of protection against them within the scope of the service being provided. This obligation can be fulfilled by publishing information on the company website and it applies to operators of essential services and public entities specified in the Act.
There are no major issues of data protection and privacy in Poland not already covered in this chapter.