TMT 2020

Last Updated February 20, 2020

Poland

Law and Practice

Authors



Traple Konarski Podrecki & Partners is one of the leading law firms on the Polish market. It specialises primarily in the following areas: intellectual property law, TMT, IT, competition and consumer protection law, fintech, advertising and sales promotion law, real property and public procurement. The TMT team is composed of more than 30 lawyers. The firm's TMT practice group is one of the most experienced in Poland, and constantly advises a large number of Polish and foreign entities operating in the sector. At the moment the firm serves more than 50 TMT clients, some of them not only in Poland but – through the CEE Legal HUB – also in 20 CEE jurisdictions. The legal services the firm provides in this area are focused on telecommunications, radio and television broadcasting; e-commerce; internet law; intellectual property and new technologies (eg, video-on-demand platforms); e-government; and cybersecurity. The firm, on a regular basis, provides legal assistance to both Polish and foreign businesses operating across a wide spectrum of sectors, as well as to public entities. It also acts as a regular expert for numerous commercial and business organisations and associations of artists. The firm, which has its office locations in Warsaw and Kraków, has earned top positions in local and international law firm rankings within the categories of IP, TMT and competition. It has been active on the market for over two decades.

Cloud Computing – Definition

There is no legal definition of cloud computing services in the Polish legal system. Regardless of the above, the definitions of cloud computing can be found in various guidelines, recommendations and soft law concerning specific sectors (eg, the banking sector).

The latest draft of the communication of the UKNF (the Polish Financial Supervision Authority) concerning the processing of information by supervised entities in a public or hybrid cloud computing system refers to the definition of cloud computing proposed by the US National Institute of Standards and Technology (NIST), which understands cloud computing as "a service delivery model providing location-independent, convenient "on-demand" network access to a shared pool of configurable computing resources (eg, servers, storage, applications or services) that can be dynamically delivered or released with minimal management effort and minimum service provider participation". A similar definition was also included in the previous UKNF document; eg, Recommendation D concerning the management of information technology and security of the information and communication environment. The definition of cloud computing is also included in, eg, Recommendations of the European Banking Authority, EBA/REC/2017/03.

Laws and Regulations

In the Polish legal system, there are no regulations strictly focused on cloud computing.

Therefore, the provisions on personal data protection (eg, the Act of 10 May 2018 on the Protection of Personal Data and the General Data Protection Regulation, or GDPR) and information protection (eg, trade secrets regulated in the Act of 16 April 1993 on Fighting Unfair Competition), the provisions on intellectual property rights (the Act of 4 February 1994 on copyright and related rights and the Act of  27 July 2001 on the protection of databases) and the general provisions of civil law (cloud computing services agreement) are primarily applicable. The regulations on sector secrets will also apply.

In addition, in certain cases cybersecurity regulations will be very important in relation to providing cloud computing services. The Directive of 6 July 2016 on security of networks and information systems (EU) 2016/1148 (the NIS Directive) concerns primarily the strengthening of critical infrastructure in the EU, but also includes provisions that will apply to cloud computing services. The NIS Directive is implemented into the Polish legal system by the Act of 5 July 2018 on the national cybersecurity system.

Due to the fact that the data transmission element of cloud computing is also important, regulations relating to the information and communications technology (ICT) sector will also apply. The Telecommunications Act of 24 April 2009 and the Act of 18 July 2002 on Provision of Electronic Services will be particularly relevant in this context. It should be noted that in December 2018, the Directive of the European Parliament establishing the European Electronic Communications Code (EECC) amending the situation of over-the-top (OTT) service providers entered into force, which could potentially be relevant for some cloud-based services after implementation in the Polish legal system.

Apart from acts of statutory rank, sector-based soft law regulations in the scope of personal data protection, sector-specific information protection or regulations concerning the content of contracts between the user and the provider would apply.

Regulations in Specific Industries

The requirements of the law and soft law for cloud computing aim to guarantee the security, integrity and confidentiality of sensitive data. These requirements relate primarily to the processing in the cloud of the special category of data (eg, banking, insurance, telecommunications and medical) and trade secrets.

The requirements for the cloud vary greatly between sectors. The financial sector (eg, banks, payment institutions and insurance companies) is subject to the greatest regulation regarding soft law. In this respect the recommendations, guidelines and communications of the UKNF are particularly important at the national level. At the European level, it is worth pointing out the recommendations of the European Banking Authority.

The medical sector also has regulations that will apply to cloud computing. For example, the Act of 6 November 2008 on Patients' Rights sets out the requirements for entrusting data, and the Regulation of the Minister of Health of 9 November 2015 on the types, scope and templates of medical records and the manner of their processing introduced requirements for securing the records. As far as soft law is concerned, it is worth noting the Recommendations of the Centre of Health Information Systems in the area of safety and technological solutions used during processing of medical records in electronic form.

The public sector is also worth noting, in the scope of which the Act of 17 February 2005 on Informatisation of Activities of Entities Performing Public Tasks and the Regulation of the Council of Ministers of 12 April 2012 on the National Interoperability Framework, Minimum Requirements for Public Registers and Exchange of Information in Electronic Form and Minimum Requirements for Information and Communication Systems are of significant importance.

On the margin, it is worth noting that the regulation that is of particular importance at the national level and that applies to some cloud providers is the Act of 5 July 2018 on the National Cybersecurity System, which implements the NIS Directive into the Polish legal system.

Processing of Personal Data

In relation to the processing of personal data, the regulations of the GDPR and the Polish Act on the Protection of Personal Data will apply. The above acts complement Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union.

The processing of personal data in a cloud should be taken into account by both the provider and the user. General regulations on data processing will apply to the processing of personal data in a cloud; see also 6 Key Data Protection Principles.

On the other hand, cloud data processing will raise specific legal problems with regard to the application of the GDPR.

  • Transfer of data to third countries – according to Article 44 of the GDPR, the data controller should ensure that a processor from a third country ensures an adequate level of protection of personal data resulting from the GDPR. Therefore, both the data controller and the processor should bear in mind adequate safeguards.
  • Separation of responsibility for data processing between the service provider and user – some cloud services are ready-to-use solutions where the subscriber of the service will not be able to actually control or supervise the processing of the personal data, which might be risky from the perspective of his obligations resulting from the GDPR. Service providers often believe that all audit and control activities create the risk of violating the cybersecurity of their solutions or may lead to disruption of the entire service. Thus, this issue should be properly addressed in the contract between the parties. It is also worth mentioning that parties should appropriately regulate their role in data processing.
  • Notification in the event of personal data breaches – cloud services are also provided across borders, which may lead to the need to provide appropriate organisational and technical solutions to meet the requirements of the GDPR concerning notification.
  • Access to data by public authorities – the problem of access to data processed in the cloud by specific public services may be particularly important for service providers operating from the territory of the USA. The US Clarifying Lawful Overseas Use of Data Act (Cloud Act) gives US public services the right to access to data, which may lead to a conflict situation with obligations to restrict/protect the transfer of personal data outside the European Economic Area (EEA).
  • Processing of non-personal and personal data – EU Regulation 2018/1807 on processing of non-personal data defines non-personal data imprecisely by reference to the GDPR, which may lead to interpretation problems with regard to the classification of certain types of data and, consequently, even to failure to comply with GDPR obligations.

Risk and Liability

One of the fastest-growing technologies in the world is digital currencies and blockchain. It is worth making it clear that blockchain technology is not directly regulated in Polish law. However, the use of blockchain solutions is fully legal in Poland and the applicable provisions are contained in various legal acts; eg, tax regulations, financial sector regulations, general regulations concerning contractual obligations, intellectual property law, criminal law or administrative regulations will apply. Currently, lobbying activities are undertaken by various industry organisations and bodies operating at the Ministry of Digital Affairs to regulate the status of blockchain technology in Poland.

In terms of blockchain risks, the main issues raised are privacy (including the protection of personal data), cybersecurity and relevant operating standards. In 2017 the working group related to the Ministry of Digital Affairs, called Stream, on the directions of possible legislative work and regulatory activities of public institutions prepared a report entitled "Review of Polish law in the context of applications of distributed registers and digital currencies technology", in which it outlined that in the context of the Polish law system, non-codex administrative law (privacy and personal data protection) and tax law may cause problems in relation to blockchain-based technologies.

Intellectual Property

When analysing the relationship of intellectual property rights to the use of blockchain technologies, it should be noted that the subject of intellectual property rights protection may be the blockchain (distributed ledger technology, or DLT) solution itself, as well as the content that the blockchain contains. Regardless of the above, blockchain technology may also be used to record intellectual property rights and to document copyright transactions (licences and agreements concerning transfer of economic copyrights).

Currently, start-ups are working on the possibility of ensuring the recording and multiplication of works via blockchain. However, such solutions are not very popular and it is too early to qualify them as a new field of exploitation, or a way of using or disposing of works.

Therefore, from the point of view of the current application of blockchain technology, the most important issue would be the legal qualification of the blockchain itself. In this respect, it seems that blockchain technologies would qualify, for example, as computer programs (regulated in the Act of 4 February 1994 on copyright and related rights) or databases (regulated in the Act of  27 July 2001 on the protection of databases) on the ground of the Polish copyright system.

For the above reasons it is worth noting that blockchain solutions often use open-source assets, which may lead to licensing problems and affect commercialisation. In addition to Polish copyright regulation, the Act of 30 June 2000 on Industrial Property Rights may apply in the scope of the protection of a blockchain solution. However, it should be taken into account that industrial property rights have a territorial character that may be relevant from the perspective of business activities. Additionally, the most important part of blockchain technologies from the perspective of protection relies on computer programs, which may affect the difficulty of meeting the conditions for filing a patent application required by the Act on Industrial Property Rights.

Data Privacy

As indicated above, one area that raises particular problems in the context of the wider use of blockchain technology is data protection and privacy legislation.

Taking into account the specificity of blockchain operation, the first point that raises particular problems is the issue of assigning responsibility for data processing to individual entities that use a particular blockchain product. In some cases, it may be difficult to determine the legal basis for the processing of personal data. Thus, use of the data for a different purpose than the original one may lead to problems in compliance with GDPR obligations. In this respect, the problem of possible cross-border transfers of personal data may arise. Due to the way in which blockchain technology operates, it may be technically and organisationally difficult for data subjects to exercise their rights (eg, the right to delete or rectify data).

Actions are being taken to make legislative changes to the issue of data processing in the context of blockchain technology. For example, the working party related to the Ministry of Digital Affairs responsible for blockchain and DLT technologies actively advocates for statutory limitations of certain rights granted to data subjects within the GDPR during processing of personal data by using blockchain technologies.

Service Levels

Polish law does not regulate the service level of blockchain technologies. The general provisions of the Civil Code concerning obligations and contractual provisions based on the principle of freedom of contract will apply in this respect. If a given solution is qualified as a key service in the meaning of the Act on the National Cybersecurity System, it will also be necessary for the service provider to meet the service level requirements resulting from that act. In order to identify the required level of service, it may also be necessary to identify sector-specific regulations concerning adequate level of protection of personal data or privacy and cybersecurity in the broadest sense.

Jurisdictional Issues

In view of the potential cross-border nature of the use of blockchain technology solutions, a whole range of procedural issues concerning the determination of both the law and the competent court for a service contract may also be a problem. Given the complexity of blockchain technology contracts, each element of the blockchain technology should be analysed separately. Parties of a contract should bear in mind how to determine the jurisdiction and the law applicable to the contract. It is also worth remembering that the situation of consumers has been regulated differently: there are certain rules concerning limitation of contractual rights provided to protect them.

Nowadays, when we talk about artificial intelligence, we mean mainly machine learning. Artificial intelligence needs data that could be processed by algorithms and contribute to its development. As a result of this process, the AI "learns" certain relations that would be used to handle tasks in the future. The types of data depend on the purpose for which we want to use AI-based solutions. Thus, big data, machine learning and artificial intelligence are solutions that are very often closely related. Therefore, they will be discussed together.

The development of artificial intelligence provides further legal problems, mostly regarding the processing of data. Currently, there is no legal definition of artificial intelligence and no legal regulations dedicated to AI solutions. Assumptions and objectives of future AI regulations can be found in various documents that are primarily of a technical nature or fall into the category of soft law.

In this respect, it is worth noting the recommendations of the OECD Artificial Intelligence Expert Group for OECD countries and associated members and the recommendations of the "Trustworthy AI Ethical Guide to Artificial Intelligence in the EU" developed by the independent high-level expert group on artificial intelligence. Moreover, The Policy for the Development of Artificial Intelligence in Poland 2019-2027 (version of 20 August 2019) refers to the above-mentioned documents. At the EU level, other working documents have also been developed.

The basic legal problem concerning AI is the Black Box phenomenon, referring to the lack of transparency of this type of technical solution. This phenomenon occurs when it is not entirely clear on what basis a particular solution works. This situation raises questions from the perspective of GDPR compliance. For the development of artificial intelligence it is necessary to provide access to a large amount of data, which is then processed by the algorithms on which the artificial intelligence is built.

One of the main challenges is therefore to ensure an adequate level of data protection. In this respect, specific legal risks may arise from profiling and automated decision making, which have been subject to limitations on the ground of the GDPR. Moreover, an additional issue is data controllers' responsibility for adaptation of the protection measures to the severity, extent and scope of the data processing.

Additionally, the exercise of the right to demand immediate rectification of personal data being processed (Article 16 of the GDPR) and restrictions to automated data processing (Article 21 of the GDPR) may pose major problems. The rights of rectification and erasure concern both "input personal data" (personal data used to create the profile) as well as “output data" (the profile itself or the "score" given to the person). Objection is a measure that requires a far wider interference and needs the cessation of the processing of personal data in general. The exercise of these rights can create significant technical difficulties and affect the development of AI.

Another legal problem, both from a civil and criminal law point of view, is the question of who will be held liable for damages caused by artificial intelligence. This will be particularly relevant for autonomous vehicles. Currently, issues related to this are regulated in the Act of 20 June 1997 on Law on Road Traffic. Currently, in Poland participation of fully autonomous vehicles in the traffic is not legal – there must always be a driver in the vehicle.

One should not forget about the problems concerning copyright law that arise from the specificity of AI. The question of whether artificial intelligence can be a creator in the meaning of copyright law is closely related to the question of the possible legal personality of works of this type. Currently, under the Polish Copyright and Related Rights Act, only the result of human creative activity is protected. Therefore, on the basis of Polish law, it is not possible to grant AI copyright. A separate issue is whether the rights to works created in this way will be held by other persons; eg, developers or owners of software (algorithm) responsible for the operation of AI. It seems that currently it will be difficult to assign copyright protection to this group of people in this respect as well. However, this does not mean that the situation cannot change in the future.

In conclusion, it is also worth noting that the use of solutions such as AI, machine learning or big data may require adaptation of their operation to sector requirements. In particular, attention should be paid to the financial (insurance), medical and public sectors.

In the financial sector, Directive 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market (PSD2) is the response to technological developments (including in the AI area). The PSD2 Directive has been implemented to the Polish legal system in the Act on Payment Services. Despite the above-mentioned Act, which also indirectly applies to internet of things (IoT) solutions, there are no legal regulations of statutory rank dedicated to this area.

There is no lack of soft law regulations. The positions and recommendations of the UKNF are particularly important in this area, containing guidelines related to the use of artificial intelligence. Apart from the above-mentioned document, the regulations on data protection will also be of significant importance for the financial sector, especially due to the regulations on sector secrets – Article 35 of the Act on Insurance and Insurance Activity and Article 104 of the Banking Law.

Artificial intelligence, as well as other modern technology solutions qualifying to the broad group of telemedicine or e-health technical solutions, need a friendly regulatory environment for their development. Currently, however, there are no dedicated regulations in this area. Due to the fact that the AI is as strong as the data on which it is based, it is worth mentioning the Polish regulations in this respect; eg, the Act of 6 November 2008 on Patient's Rights and Patient Ombudsman and the Regulation of the Minister of Health of 9 November 2015 on the types, scope and models of medical records and the manner of their processing.

Elements that can be relevant to machine learning include liability and insurance, data protection, intellectual property, jurisdiction, and even fundamental rights.

Elements that can be relevant to artificial intelligence include liability and insurance, data protection, intellectual property, jurisdiction, and even fundamental rights.

Internet of things is a network that connects devices, either wired or wirelessly, that operate in a way that does not require human involvement in acquiring, sharing, processing, or interacting with the environment under the influence of that data.

The Polish legal system lacks separate and detailed regulations for IoT technology. The regulations that apply to the use of this type of technology are scattered across various legal acts. For example, one can point to regulations such as the GDPR, the regulation concerning processing of non-personal data, telecommunication law, regulations concerning sector secrets or the Act on the National Cybersecurity System, which implemented the NIS Directive into the Polish legal system. Individual regulations can also be found in acts concerning particular sectors or industries; eg, regulations concerning autonomous cars are included in the Law on Road Traffic. It should be noted that the above acts also often provide financial penalties for failure to meet specific obligations (eg, the GDPR and the Act on Personal Data Protection).

In the context of data processed by devices operating in the IoT ecosystem, a very broad definition of personal data contained in the GDPR causes a lot of interpretation problems. Additionally, this status has not been improved by the Regulation of the European Parliament and of the Council (EU) on the framework for the free movement of non-personal data in the European Union, which includes a definition of non-personal data that referred to the GDPR personal data definition. Moreover, the current legal system lacks regulations concerning access to non-personal data.

The issue of the possibility to process medical data is regulated by EU and national regulations. Article 9(2) of the GDPR contains exceptions allowing the processing of genetic, biometric and health data in specific situations; eg, when the processing is necessary for the purpose of a medical diagnosis and the provision of healthcare. The issue of medical data in the Polish legal system is also regulated by the Act on Patient's Rights and the Patient Ombudsman. Pursuant to Article 23(1) of that Act, a patient has the right to have access to medical records that refer to his state of health and medical services provided to him. Additionally, the above-mentioned Act regulates such issues concerning entrusting data processing that may be applicable in the case of IoT (Article 24 paragraphs 4-7). The regulations concerning the processing of medical data are also provided for in the Act of 28 April 2011 on the healthcare information system, as well as in numerous regulations; eg, in the Regulation of the Minister of Health of 9 November 2015 on the types, scope and models of medical records and the manner of their processing or the Act of 25 June 2013 on the Health Care Statistics System. It should be noted that the above regulations are not sufficient. Despite the partial regulation of the issue of medical data processing, there is still no single standard concerning the communication of IoT devices within the medical sector.

The financial and insurance industry is regulated by an extensive system of legal acts and soft law regulations coming from regulatory bodies at the national (eg, UKNF) and European (eg, EBA) levels. One of the most important regulations that has affected this sector and will undoubtedly be relevant for IoT is the PSD2. Data must be collected and processed in a secure manner, in compliance with data protection legislation (GDPR). The rules on the protection of sector secrets – bank and insurance secrecy – will also be very important. Currently, from the perspective of the development of the industry, the lack of clear regulations on data collection, processing, transmission and protection that keep pace with the development of technology is particularly acute.

Polish law does not separate a special type of agreement applicable to contracts for provision of IT services and products. Therefore, in the context of Polish regulations, it is very important to describe precisely the scope of services (products) to be provided by the contractor (subject of the agreement). In this respect, the ordering party should consider what should be done under the contract. For example, apart from the implementation of the software itself within the scope of a given organisation, the ordering party may need, eg, maintenance, development and updating of the software to be provided under the contract.

In Polish law there are no special regulations concerning the level of service provision in the scope of contracts concerning IT solutions. In the Civil Code there is a general regulation concerning the performance of obligations. Pursuant to Article 354 § 1 of the Civil Code, the debtor (contractor) should perform the contract in accordance with its content and in a manner consistent with its purpose, principles of social co-existence and customs established in practice. Despite the lack of regulation of the statutory rank in the scope of certain services, there are soft law regulations; eg, the draft Recommendation of the Minister of Digital Affairs concerning the conditions of processing in a public cloud of data of public entities of 15 October 2018.

With regard to the service level agreement, the ordering party should first of all remember to specify in the contract the quality of the service (Performance Service Level Objective) by clearly indicating the availability of particular resources, services and support; eg, by indicating the response time. Additionally, it is necessary to ensure appropriate provisions concerning service security (Security Service Level Objective), which may require additional requirements to be met in the case of a key service operator within the meaning of the Act on the National Cybersecurity System. The issues of data management (Data Management Service Level Objective) are also very important; eg, back-up, data restoration and transfer, which may be of key importance in the context of contract termination (Exit Plan). The parties of an IT agreement should bear in mind that the determination of mutual benefits should be reasonable; if they know already at the agreement stage that certain provisions cannot be fully implemented, they should abandon them.

The IT agreement should also contain provisions for ensuring continuity of services and fulfilling information and reporting obligations by the provider. From the point of view of protecting the company's secrecy, the parties should bear in mind the appropriate regulation of provisions concerning security and confidentiality of data and information. In connection with the regulations concerning the processing of personal data, it is also important to remember about the appropriate regulation of this issue. It is particularly important to define the roles of parties in the data processing and, consequently, the responsibility of individual party (controller and processor).

The parties should be able to carry out control activities (also in terms of audits) and it is worthwhile to describe properly in the contract clear rules for carrying them out. For example, an IT service supplier often provides software licences for a certain number of workstations. In such a case, it may be necessary for the parties to describe the verification of whether the customer uses the software for a proper number of workstations. While remaining on the subject of control, one should not forget about the provisions concerning the execution of the contract by subcontractors. If the ordering party wants to have control over who is actually executing the contract in the name of the contractor, one should introduce into the contract provisions limiting the general regulations of the Civil Code concerning execution of the contract by subcontractors.

These issues are directly linked to the need to regulate intellectual property rights accordingly. Under IT contracts, the most important issue is securing the rights to the implemented software. It is necessary to determine whether and to what extent the contracting authority acquires the property rights to the software. The most popular model is the licence model, in which the author's economic rights to the software remain with the software developer and the ordering party uses the software as a licensee. In the case of software that is subject to customisation, there is commonly a mixed model; ie, the supplier of a given solution licenses the supplied software and transfers the proprietary copyrights to the customised parts to the ordering party.

Two very important subjects that should be regulated in the contract are the issues of liability and contractual penalties. The principle of freedom of contract, expressed in Article 3531 of the Civil Code, gives the parties the possibility to arrange the legal relationship according to their interest and will. The recognition of the parties is obviously not unlimited. The limits of the parties' freedom are determined primarily by the provision of Article 473 of the Civil Code. According to it, one cannot only exempt the debtor from liability for damage that he may intentionally cause to the creditor. In connection with liability for the performance of the contract, it is also very important to specify possible contractual penalties. It should be remembered that, in theory, the parties of a contract are free to determine contractual penalties, but if the obligation has been performed in a significant part or the penalty is grossly excessive, the court may reduce it (Article 484 § 2 of the Civil Code).

It is also in the interest of the parties to regulate the Exit Plan and termination of the contract. This is particularly important if the contract is terminated with immediate effect. The Exit Plan should include the manner in which the "release" of the maintained software will take place and the period for which back-ups will be maintained.

Rules that are typically excluded or of mandatory law must be taken into account

In accordance with the principle of freedom of contract, as expressed in Article 3531 of the Civil Code, the parties have the possibility to arrange the legal relationship in accordance with their interest and will. The parties only have to remember that the contract may not be contrary to the law in force or constitute a circumvention of the law because, in accordance with the regulations of the Civil Code, it may lead to invalidity of the contract (Article 58 of the Civil Code). The parties should also remember that they may be required to comply with certain obligations, which may result from sector-specific regulations; eg, the Act on the National Cybersecurity System or sector-specific regulations on statutory secrets and data processing.

Under Polish law, the way data is regulated depends on whether it concerns natural persons or legal entities. The protection of personal data is regulated by the GDPR and the Act on Personal Data Protection.

Non-personal data is regulated by the EU regulation on the processing of non-personal data and various other special laws on sector and company secrets.

The core rules on the protection of personal data are described in the GDPR. The following points are particularly relevant.

  • Information obligation (Articles 12-14 of the GDPR) – the data subject will have the right to obtain information on the processing of his or her data.
  • Rights of data subjects (Articles 15-21 of the GDPR):
    1. the data subject's right of access;
    2. the right to rectify data;
    3. the right to delete data ("right to be forgotten");
    4. the right to limit processing;
    5. the right to transfer data; and
    6. the right to object.
  • Register of processing activities (Article 30 of the GDPR) – the data controller and processor are obliged to keep a register of processing activities.
  • The processing of data based on consent (Article 7 of the GDPR) – the data controller of personal data must demonstrate that the data subject has given his consent to the processing of personal data. The exception to the above rule is the processing of data on the basis of a legitimate interest (Article 6 of the GDPR).
  • Data protection impact assessment (Article 35 of the GDPR) – the GDPR requires that processors of personal data carry out analyses of the impact of their activities on personal data on the risk of violation of the rights of data subjects.
  • Limited profiling and automated decision making (Article 22 of the GDPR) – the GDPR allows use of profiling in three cases:
    1. it is necessary for the conclusion or performance of a contract between the data subject and the data controller;
    2. it is based on the law; and
    3. the data subject has consented to this.
  • Obligation to report breaches (Article 33 of the GDPR) – the controller will be obliged to report the personal data breach to the competent supervisory authority. The GDPR further specifies additional conditions to be met in the case of notification; eg, its timing.
  • Penalties for inappropriate processing of personal data (Article 83 of the GDPR) – violation of personal data protection provisions.

Processing of personal data on the basis of the GDPR must comply with the general principles outlined by the EU legislator in Article 5 of the GDPR. A breach of the above-mentioned principles results in the unlawfulness of data processing. The processing of personal data must be primarily lawful. The processing of personal data is illegal, unless there is a legitimacy ground – the data subject's consent or there are other grounds outlined in the GDPR (eg, legitimate interest of the controller).

The processing of personal data should comply with the principles of transparency and fairness. The above principles are primarily related to the information obligations included in the GDPR. The principle of purpose limitation means that the processing of data for a purpose incompatible with the purpose for which they were collected is subject to far-reaching limitations. It is worth pointing out that the purpose of processing should be specific, clear and legally justified.

Additionally, due to the GDPR, processing of personal data should comply with the principle of data minimisation, which states that data processing should only take place where the purpose of the processing cannot be reasonably achieved by other means. The data processing should be accurate, which means that there is an obligation on the part of the data controller to take all reasonable steps to ensure the accuracy of the data; eg, by deleting and rectifying it immediately (data accuracy principle). Personal data should be kept in a form that allows the identification of the data subject (and therefore not anonymised) for no longer than is necessary for the purposes for which the data is processed, which means that the period of storage should be kept to a strict minimum (data retention limitation principle).

The controller is obliged to implement appropriate technical and organisational measures to safeguard data against unlawful processing and accidental loss, destruction or damage, by means of appropriate technical or organisational measures (integrity and confidentiality principle). Finally, the principle of accountability should also be mentioned. According to this principle, the controller is responsible for complying with the provisions setting out the above-mentioned data processing rules and must be able to demonstrate compliance.

As indicated above, non-personal data may be protected as a "trade secret" if it meets the requirements set out in Article 11(4) of the Act on Combating Unfair Competition. In accordance with the above provision, undisclosed technical, technological and organisational information of the enterprise or other information of economic value, in respect of which the entrepreneur has taken the necessary steps to maintain its confidentiality, will be protected.

In a specific case, the processing of data may also be regulated by sector-specific regulations on secrets.

The regulation of monitoring and limiting use by employees of company computer resources can be found in various legal acts in the field of both labour law, and privacy and personal data protection.

First, it should be noted that the regulations concerning employee monitoring are contained in Articles 222 and 223 of the Labour Code. The employer may monitor the employee only if the conditions specified in Articles 222 and 223 of the Labour Code are met.

As far as email monitoring is concerned, on the basis of Article 223 § 1 of the Labour Code, the prerequisites for its application are the necessity to ensure the work organisation enables full use of working time or proper use of work tools made available to the employee. An employer performing email control of his employees must remember that there is another condition for such action – the control of employees' mailboxes must not violate the confidentiality of correspondence or other personal rights of the employee (Article 223 § 1 of the Labour Code).

The analysed provision will also apply to other forms of monitoring, when it is necessary to ensure the organisation of work that allows full use of working time and the proper use of the work tools made available to the employee (Article 223 § 4 of the Labour Code). Under this provision will be, for example, control of company phones (calls and text messages) or determining the location on the basis of the GPS signal of the employee device/vehicle (eg, installed in a car) entrusted by the employer.

Moreover, it is worth pointing out that the issue of video monitoring of employees has been included in Article 222 of the Labour Code.

The above regulations on labour law are closely related to the regulations on personal data protection. According to the definition expressed in Article 4 point 1 of the GDPR, personal data is any information about an identified or identifiable natural person. In the case of an employer, the data subject – ie, the employee – will be an identified person, and information about him or her obtained as a result of the inspection will constitute personal data. The above definition indicates that the category of personal data includes, in particular, location data as well as one or more factors determining the physical, physiological, genetic, mental, economic, cultural or social identity of an individual. These factors may result from other forms of employee monitoring.

The employer may only process the employee's biometric data in a particularly justified case; eg, restriction of access to sites where the employer may require special authorisation due to company secrecy or professional skills needed to enter protected areas.

In relation to email monitoring and other forms of monitoring, the provisions on video surveillance – ie, Article 223 §§ 3 and 4 of the Labour Code – shall apply accordingly. Therefore, the employer should specify in an appropriate internal regulation its objectives, scope and manner of applying the monitoring. Information about the introduction of email monitoring or another form of monitoring should be provided by the employer no later than two weeks before its launch, and for new employees, before they are admitted to work. Data obtained as a result of employee monitoring may be processed for a maximum period of three months from the date of its acquisition, unless it constitutes or may constitute evidence in proceedings conducted under the provisions of law.

The processing of data resulting from monitoring often entails a high risk for the rights and freedoms of data subjects. Therefore, the employer should, before applying it, consider whether it is subject to the obligations resulting from Article 35 of the GDPR (impact assessment of data processing). The Communication of the President of the UODO (the Polish Office for the Protection of Personal Data) of 17 June 2019 on the list of types of personal data processing operations requiring assessment of the consequences of processing for their protection may be helpful in this respect.

The Telecommunications Act sets out the rules for the performance and control of activities consisting of the provision of telecommunications services, the provision of telecommunications networks or the provision of accompanying services (jointly referred to in the Act as telecommunications activities). The definitions of the above-mentioned activities are very broad. Therefore, the Polish Telecommunications Act could apply to a wide range of entities and services.

Telecommunications activity is a regulated activity that, as a rule, does not require a licence. However, a telecommunications undertaking is obliged to make an entry in the register of telecommunications undertakings kept by the President of the Office of Electronic Communications (UKE; UKE (Article 10(1) and (2) of the Telecommunications Act).

The situation is different in the case of the frequency (spectrum) and numbering system defined in the Telecommunications Act, which is based on a licensing system.

The frequencies shall be managed in accordance with the principles set out in Article 111 et seq of the Telecommunications Act. Reservations of frequencies shall be made for an entity that meets the requirements set out in the Act, in particular the entry in the register of communication entrepreneurs or a permit to use radio equipment is granted if the frequencies covered by the application:

  • are available;
  • have been allocated in the National Frequency Allocation Table for the requested radio communications service and the frequency management plan provides for their use in accordance with the application;
  • may be protected against harmful interference;
  • may be used by the radio equipment without causing harmful electromagnetic disturbance or collision with reservations, radio licences or decisions referred to in Articles 144a and 144b granted to other entities;
  • may be used in an efficient manner; and
  • have been internationally agreed to the extent and in the form specified in international radio regulations or agreements to which the Republic of Poland is a party, where there is a possibility of causing harmful interference outside the Republic of Poland.

The entity that obtained the right to dispose of the frequency in a frequency reservation shall pay annual fees for the right to dispose of the frequency (Article 185(1) of the Telecommunications Act).

With respect to numbering management, the President of UKE, by way of a decision, assigns numbering, in accordance with the national numbering plans for public networks, to telecommunications undertakings, local government units conducting telecommunications activities other than telecommunications undertakings and other entities listed in the Act (Article 126 et seq of the Telecommunications Act). The numbering is assigned in accordance with the Ordinance of the Minister of Digital Affairs of 19 March 2014 on detailed requirements for numbering management in public telecommunication networks.

In addition, under Article 143 of the Telecommunications Act, regarding the use of radio equipment, one is required to obtain a radio licence, which is issued by the President of UKE in the form of a decision.

Interpersonal communication services (OTTs) have not been subject to a strict regulatory environment so far, as was the case with traditional providers of electronic communication services such as telephony. Their previous definition in the Framework Directive 2002/21/EC raised a number of questions of interpretation, including the possibility of qualifying OTT services as electronic communications services.

Following developments in the telecommunications market and the need to regulate the status of OTTs, the EECC amended the definition of an electronic communications service by adding a new category of services within its scope – interpersonal communications services. This change has led to OTT service providers being explicitly covered by the EECC.

A number of indications on the interpretation of the concept of interpersonal communication service are contained in recital 17 of the EECC. First of all, these services cover only communications between a potentially limited number of individuals, which are determined by the person sending the message. In addition, this service should enable the recipient of information to respond. Services that do not meet the above requirements – such as linear media services, video-on-demand, websites, social networks, blogs or the exchange of information between devices – should not be considered as interpersonal communication services. Recital 17 of the EECC also indicates that, exceptionally, a service should not be considered to be an interpersonal communication service if the interpersonal and interactive communication tool is only an insignificant addition to another service and cannot, for objective technical reasons, be used without that master service and its integration into the service does not serve to circumvent the rules governing electronic communications services.

It is worth noting that the EECC provides for a further distinction in the new category of electronic communications services by further subdividing them into two groups of services: interpersonal communication services using numbers and interpersonal communication services not using numbers – Article 2(6) and (7) respectively of the EECC.

The EECC provides for a more lenient regulation of non-numerised interpersonal communication services compared to those using them. The EECC extends the obligations of OTT service providers. The EECC continues to maintain a general authorisation regime under which each operator can provide its services throughout the EU without an individual licence. The general authorisation scheme requires each operator to carry out a self-assessment and comply with the applicable regulatory conditions in accordance with the national telecoms rules in which the services are provided.

Articles 2 and 3 of the current e-Privacy Directive refer to the definitions in the Framework Directive 2002/21/EC (from 21 December 2020 in the EECC). At the same time, in accordance with Article 125 of the EECC and Annex XII to the EECC, these four directives are repealed and references to them are to be read as references to the EECC. As a result, the revision of the definition of electronic communications service within the EECC will also extend the scope of application of the current e-Privacy Directive. Therefore, from 21 December 2020, the obligations under the current e-Privacy Directive will also apply to OTT service providers, in addition to traditional telecommunications service providers.

Consequently, new obligations will be imposed on OTT service providers. These will primarily be confidentiality obligations. Under Article 5 of the current e-Privacy Directive, it is prohibited to listen to, record, store or otherwise intercept or supervise a communication and related traffic data for persons other than users without the consent of the users concerned. This obligation affects OTT services, such as email services, which use email scans, for example, to display personalised or targeted advertising. The e-Privacy Directive as it currently stands prohibits such practices unless the provider has obtained the prior consent of all users concerned.

Restrictions on the use of traffic and location data (Articles 6 and 9 of the e-Privacy Directive) will also remain important. Traffic data includes information about the time of telephone calls, messages or emails, the sender and recipient of these messages, the location of the sender and recipient, etc. Article 6(1) of the e-Privacy Directive will require OTT providers to anonymise or delete traffic data when it is no longer needed for the purpose of the transmission of a communication. The processing of traffic data necessary for the purpose of subscriber and interconnection billing will be allowed until the end of the period during which the bill may legitimately be challenged or the fee paid (Article 6(2) of the e-Privacy Directive). In the case of location data other than traffic data (Article 9 of the e-Privacy Directive) relating to users, they may be processed when they are anonymous or with the consent of the users, to the extent and for the duration necessary for the provision of the value added service.

Work is ongoing on the implementation of the EECC in the Polish legal system, so it is not entirely clear what the regulations will look like but it is clear that the OTT situation will change.

The Act of 29 December 1992 on Radio and Television Broadcasting applies to media service providers established in the territory of the Republic of Poland (Article 1a of the Act). Dissemination of television and radio programmes, with the exception of public radio and television programmes, requires a licence to be obtained by the interested entrepreneur (Article 33(1) of the Act on Radio and Television Broadcasting). The above requirement does not apply to the distribution of television programmes exclusively in ICT systems, unless such programme is to be distributed on the ground, via satellite or cable networks (Article 33(2) of the Act on Radio and Television Broadcasting). The competent authority for concessions is the President of the National Broadcasting Council.

It should also be noted that the Act on Radio and Television Broadcasting does not require a licence to be obtained for entities providing on-demand audio-visual media services. Exclusion from the obligation to obtain a licence does not mean that the Act does not address any obligations. The entity providing audio-visual media services on demand is obliged to perform the obligations specified in Article 47a et seq; eg, to gradually ensure accessibility of the provided programmes for the disabled, to mark product placement.

It should be pointed out that the Act on Radio and Television Broadcasting does not apply to other formats to which the provisions of the Act on Provision of Electronic Services will apply. As far as platforms providing such services are concerned, consumer regulations or regulations on product advertising will also be very important (eg, the regulation concerning alcohol advertising).

For matters not regulated there, regulations concerning specific issues will apply. For example, the issues concerning intellectual property rights will be concentrated mainly in the Act of 4 February 1994 on Copyright and Related Rights, which regulates issues that are important from the author's perspective, such as granting licences and transfer of copyrights, remuneration for the use of audio-visual works or performance of copyright supervision.

Polish law does not explicitly regulate the use of encryption or circumstances when a company is required to use encryption technology. However, it is worth noting that failure to adapt such solutions may in certain cases lead to violation of personal data or the privacy of users of the unsecured solution, as well as, in the case of institutions and legal persons, lead to violation of sector secrets (eg, telecommunication secrets).

According to the GDPR, the data controller is obliged to implement appropriate technical and organisational measures (including pseudonymisation and encryption). Thus, encryption is a recommended data protection mechanism appearing directly in the regulation, but also commonly recommended by many organisations dealing with security. In the absence of specific regulations on encryption, there are also no specific legal requirements for its use.

It should be pointed out that the obligation to maintain the secrecy of correspondence is limited, eg, by the Telecommunication Act (Article 179), which obliges an entrepreneur to ensure technical and organisational conditions for access to and recording of telecommunication transmissions by services indicated there; eg, the police or border guards. Additionally, regulations concerning "eavesdropping" are also included in the provisions regulating the activities of specific public services; eg, in the Act of 6 April 1990 on the Police or the Act of 10 June 2016 on counter-terrorist activities.

Traple Konarski Podrecki & Partners

Królowej Jadwigi 170
30-212 Kraków
Poland

+48 22 850 10 10

+48 22 697 63 72

office@traple.pl www.traple.pl
Author Business Card

Trends and Developments


Authors



Konieczny Wierzbicki Kancelaria Radców Prawnych Spółka Partnerska is composed of 25 experienced legal professionals specialising in various practice areas, including TMT, corporate, real estate, intellectual property and private equity issues. Its main office is located in Kraków. The law firm is recognised for its TMT team, which has great experience in handling multi-jurisdictional TMT-related matters from all over the world. The team has worked on many cutting-edge projects regarding cloud models (eg, SaaS), mobile payments, virtual banking, cloud native software, etc, in most current IT methodologies (ie, agile), as well as drafted and negotiated practically all types of IT contracts. Konieczny Wierzbicki Law Firm has been engaged in works involving companies such as Standard Chartered Bank, CommerzBank, BNP Paribas, Citi Group, Emirates NBD, Allianz, Allstate, Baillie Gifford, First American and Universal. Relevant recent work on behalf of clients includes preparation and negotiation of contracts for provision of specialised IT services to a US-based "unicorn" entity, in which investors are leading global venture capital funds.

The Public Sector Perspective

A “cloud-first” approach to strengthening Poland’s position as an IT challenger

Last year Poland further reinforced its reputation as a local, Central-European leader of innovative technology and IT solutions. In the near future, the country’s public and private sectors are both expected to redouble their efforts to make Polish technology and IT products among the most innovative in the region.

To keep pace with current worldwide trends, major players on the Polish market are already working on implementing a fully cloud computing (or "cloud first") model for its technology and IT products and solutions. In a cloud-based environment, software and data resources remain available on-demand even when the user is not directly active and without the need to engage any data centre or the user’s actual storage.

When trying to provide an accurate forecast for the Polish TMT sector, it is important to realise that it is not only private entities that have recognised the widespread need for cloud solutions. The Polish government has also identified a growing reliance on cloud technology and has made it a priority objective in its future plans for developing and managing public IT solutions for Polish citizens.

On 11 September 2019, the Polish Government passed Resolution No 97, a new initiative entitled Common Information Infrastructure of the State (henceforth, the Initiative). This is a 19-page roadmap setting out the next steps that need to be taken at the government level to ensure public IT solutions are upgraded to the next, fully cloud-based, level.

The overriding goals of the Initiative are: firstly, to shorten the time required to access public electronic services; secondly, to broaden access to public electronic services and personal data processed by the public authorities; and, thirdly, to ensure the highest possible level of data security and integrity.

The two key innovations envisaged under the Initiative are Government Cloud Computing and the Government Security Cluster – comprehensive software solutions that will provide most public authorities with free, unlimited access to the Government’s centrally maintained cloud storage system. All solutions connected with the central cloud and cluster systems, as well as all local clouds created by the authorities, will be based on the software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) models so as to guarantee they meet the latest industry standards. Moreover, the Initiative requires all tools and systems designed for the domain of public administration to comply with strict new State Cyber Computing Standards, which will determine the minimum level of security that systems must meet for them to operate within the state-administered cloud and cluster.

The anticipated cost of the Initiative will partly be covered by funds set aside from the state budget for the coming years. Another source of financing will be the European Union’s “Polska Cyfrowa” (Digital Poland) operational program. Both the Initiative itself and the fact that the resources set aside for software development will be allocated within the state budget are a clear signal that it is a time for providers of SaaS, PaaS and IaaS tools and services to focus their efforts on Poland, where investment in such technologies will undoubtedly increase.

Gambling sector to set the technological trends in the coming years

The adoption of the aforementioned Initiative simply highlights the efforts that the Polish Government has already undertaken towards promoting a computerised and digitised public administration. A number of key areas are already covered by complex IT solutions, thereby enabling the public authorities to gather and process on a remote basis the data required for their day-to-day operations using a “real-time access” model.

One institution that has committed itself to remaining in step with such global trends is the Polish Ministry of Finance, which is responsible for Poland’s quasi-private gambling sector. The latter is deemed to be one of the sector's most exposed, due to the dangers of possible fraudulent activities, and has therefore always been strictly regulated.

Beginning from 2016 and 2017, gambling in Poland, both online and on-premises, has been organised and administered as a state monopoly and is strictly regulated. The task of exercising this state monopoly has been delegated to the Prime Minister, the Ministry of Finance and Totalizator Sportowy sp. z o.o., a limited liability company fully controlled by the State Treasury. Some games – such as betting and casino games – are still run by private entities, albeit while being closely monitored by the public authorities.

After 2016 the Polish public authorities have had to adapt to a new reality, in which they are not only required to supervise the gambling market, but also to run actual gambling businesses in the form of a state online casino and state slot-machine rooms. The centralisation of the gambling market has forced the authorities to develop technology that would enable it to oversee the participants and organisers of the state-supervised gambling activities.

To monitor the activities of players using state-supplied slot machines, the Polish authorities were required to develop a solution ensuring remote, real-time access to the data stored in all legally operated slot machines in Poland, which in turn would provide information relevant to the task of administering access to these slot machines as well as the size of the stakes. The task of the central system is to obtain and record data on bets made and winnings paid out from slot machines, the history of game play and all data on the status of slot machines, including information on any machine malfunctioning or interference. All slot machines located in Poland have real-time, unlimited access to the system so that data can be passed onto the latter, which in turn enables data to be stored and automatically archived. The development and maintenance of this system remains one of the most recognisable IT projects in Poland currently being financed with funds from the state budget. 

Moreover, over the last few months Poles have had the opportunity to bet in the country’s first-ever state online casino. The Total Casino (which is the official name of both the casino itself and its website) offers both browser and mobile access to various casino games, including online slot machines, online roulette, poker, blackjack and other card games. The launch of an official state-sponsored online casino is a major novelty on the Polish gambling market and the casino’s operations conform to the highest standards of cloud data storage with both the casino administrator and the player enjoying high-quality remote access. To meet the strict requirements of the regulator regarding participation in gambling, the online casino was provided with a complex certification system aimed at monitoring the access of players and preventing unauthorised persons from playing. 

Similar centralisation tendencies can be observed in other sectors, which makes the Polish gambling sector a test case for analysing what has been achieved to date and what we can expect to see in the future in other markets where the state or state funds exercise direct or indirect control – such as television, media and broadcasting.

Faced with the steady expansion of mandatory electronic systems for tax declarations and government reporting, Polish business entities nowadays have no alternative but to enter into the new, digital world. This in turn will require entrepreneurs operating in Poland to engage top IT developers and providers in the design, implementation and maintenance of solutions crafted to meet Polish compliance criteria.

Both private and public entities will be seeking technologies enabling unlimited, free and safe data transfer and storage without the use of actual data centres, and where the public authorities will have guaranteed access to such data in real time. 

Auction for 5G frequencies

Ongoing digitisation, the shift from on-premise to cloud models, the Internet of Things (IoT) and smart cities all require rapidly expanding the network and increasing its bandwidth. These undertakings will be supported by the introduction of the 5G network in Poland.

The distribution of 5G frequencies in Poland began in December 2019 and is expected to end in 2020. The President of the Office of Electronic Communications (UKE), the regulatory authority responsible for telecommunications and postal activities and frequency resource management, is planning to award the rights to use four frequencies in a simultaneous, ascending auction with a minimum price of PLN450 million per one packet of frequencies.

UKE chose to organise an auction instead of a tender as an ascending price auction allows it to respond rapidly to the actions of other participants, making it more likely that higher prices will be achieved. A company will only be allowed to bid if it has already invested at least PLN1 billion in the telecommunication infrastructure or radio network in Poland and if it possesses a reservation for another countrywide frequency. This means that only a limited number of participants may take part in the procedure. Each bidder can only apply for one frequency and will be obliged to make further investments – for example, by building at least 500 base transceiver stations within the next five years.

The Private Sector Perspective

Online and mobile services

It can be clearly observed that business entities in Poland are shifting towards online channels for providing services. According to market studies, the e-commerce sector in Poland is worth nearly EUR11.5 billion and is expected to grow by another approximately 25% in 2019, according to estimates. At the same time, the legal framework governing e-commerce in Poland has not changed much in recent years, being affected mainly by the enactment of new laws by the European Union – for example, Regulation (EU) 2017/1128 of 14 June 2017 on the cross-border portability of online content services in the internal market, and Regulation (EU) 2016/679 of 27 April 2016, the General Data Protection Regulation.

Together with online spending, mobile payment services are constantly expanding and improving, making Poland one of the European leaders in this regard. Pay-by-link and cashless payments are extremely popular in Poland. As reported by the National Bank of Poland, 100% of point of sale (POS) transactions in the country provide contactless payment options. Last year also saw the launch of the country’s first-ever shops with no cash registers.

Further expansion of online services is anticipated in the future due to the increased availability of mobile devices and the development of the Internet of Things. Moreover, online sales and services appear to have received a further boost from the government ban on Sunday trading in Poland, which has effectively outlawed shopping in brick-and-mortar stores on almost every Sunday in 2020.

The switch to online and mobile services has likewise been reflected in the growing interest in “sharing economy” opportunities in Poland. The most striking example of this phenomenon is car-sharing, which almost tripled in popularity in the first half of 2019 alone. The demand for electric scooters is also on the rise.

Moreover, the number of passengers using mobile applications to order car services (such as Uber) has risen steadily. One interesting question is if and how the industry will be affected by new Polish legislation regulating passenger transport. Pursuant to the new provisions that came into force on 1 January 2020 (sometimes referred to as “Lex Uber”), taxi meters may now be replaced with mobile applications; however, all drivers require a special licence if they wish to provide passenger transport services legally.

Also worth mentioning here has been the emergence of the private remote healthcare sector in Poland, which has had to overcome numerous restrictions imposed by various laws, especially in terms of the legal framework governing data privacy.

Cloud services

Cloud services are gaining in popularity in the country. However, it is somewhat surprising that statistically only around half of all Polish entities use or intend to use cloud services in their business operations. These results are clearly inconsistent with global trends. The reason may be that the Polish cloud market is rather fragmented when it comes to cloud service providers.

However, this situation is expected to change in the coming years. In the case of IT contracts, more and more often we can expect on-premises arrangements to be replaced by cloud services. Business entities recognise the advantages of cloud services, such as improved compatibility between different systems and applications, a reduced infrastructure, etc. At the same time, however, certain cybersecurity issues must be properly addressed, especially in view of the relevant provisions of the General Data Protection Regulation.

IT sector issues

The Polish IT market is quite vibrant. A considerable number of foreign IT companies have decided to establish software development studios and research and development (R&D) centres in Poland. They include all the world’s top market players from the IT, media and telecommunication sectors. In addition, there are an estimated 1,000 Polish software development firms employing around 50,000 people. Polish software houses are especially active and successful in the gaming industry.

One noteworthy trend from a business perspective has been the significant increase in projects performed with "agile" methodologies instead of the "waterfall" approach. This, in turn, seems to be having an effect on settlement methods, thanks to a shift away from fixed budget projects to time and material settlements.

Another interesting development in the IT sector in recent years has been white labelling. Preparing ready-made IT solutions tailored to the individual needs and preferences of the customer ensures much greater efficiency and cost optimisation – ie, advantages constantly being sought by entrepreneurs.

Blockchain

Although blockchain technology has not yielded many cryptocurrency projects in Poland, it has undoubtedly attracted interest from many business entities. Given the potential of its local IT market, Poland could well become a reputable centre for developing blockchain-based systems.

Currently, the potential of blockchain technology is mainly being exploited by the financial sector (banks, peer-to-peer platforms, etc). One recent, interesting example of how blockchain technology is being utilised for commercial purposes is the Polish company Billon. In 2019 Billon became the first electronic money institution to be granted a licence by the Polish Financial Supervisory Committee. Billon created the first system based on distributed ledger technology (DLT) for business. Using blockchain technology as a platform, Billon devised a new protocol that allows national currencies to be registered in accordance with relevant laws and regulations, and it came up with a scalable solution for micropayments. We can expect Billon’s future fortunes to be monitored closely by other market players considering investing in blockchain technology.

Artificial intelligence (AI) and machine learning

Solutions based on artificial intelligence (AI) and machine learning are undoubtedly attracting much interest from many business entities in Poland. The most visible examples of commercially applied AI-based solutions on the local market include "chatbots", voice search and virtual assistants. Machine learning-based user experience has become a recognised tool in the e-commerce sector. It is used to improve the selection of a company’s goods and services, enhance marketing communication and identify a company’s most valued products. Business entities pioneering such tools strongly believe that AI-driven solutions will become a vital factor in building relationships with customers. This outlook is also reflected in market studies, which reveal that by the end of 2020 up to 85% of interaction with clients will be handled by chatbots.

Big data, AR/VR

Big data is one of the most widely discussed issues among business entities in Poland. On the other hand, in contrast to global trends, the reception of big data solutions among Polish companies is relatively low. According to market studies, only a few percent of business entities in Poland report using big data tools and systems. On the other hand, approximately 60% claim to apply business analytics in their day-to-day operations. Consequently, the outlook is brighter when it comes to the application of big data tools on a more dynamic scale.

Interestingly, it is said that one of the biggest challenges in the near future is the monetisation of collected data. What is crucial in this area is the quality, not the quantity, of data as well as the added valued obtained within big datasets (“smart” data versus “big” data). Supposedly, further developments in this field may affect the choices and actions of business entities with respect to big data solutions.

Currently, big data solutions are mainly applied in marketing and e-commerce to better understand customer needs and thereby boost sales volume (data-driven marketing). Growing interest in big data solutions has also been observed in logistics and production, as well as in telecommunication and finance.

Apart from big data solutions, another tool that businesses believe can give them a competitive edge is "augmented reality" (AR). On the one hand, the number of virtual reality or augmented reality service providers has soared, and on the other business sectors are becoming keener to make use of VR/AR solutions in their products.

Other interesting issues

Importantly, the trend towards further digitisation in Poland has been mirrored in recent legislative changes providing for the mandatory dematerialisation of joint-stock company shares. This amendment has resulted in what has even been described as the “digitisation of the joint-stock company”. Pursuant to the provisions that entered into force at the end of 2019, every joint-stock company is required to run its own website, which should include the most important information about the company and a separate tab intended as a communications channel for shareholders as well as for publication purposes. Moreover, the new regulations provide for the mandatory dematerialisation of all shares, and this process should be completed by 31 December 2020. As a result, from the beginning of 2021 only persons entered in the company’s register of shareholders will be considered a shareholder. From the IT market’s perspective, the above legal arrangement could be an incentive for fashioning specialised services connected with maintaining electronic shareholder registers.

Since the beginning of 2019, the rules governing the maintenance of employees' personal files have also undergone a radical overhaul. These revolutionary changes include the possibility of switching to fully electronic versions of file-keeping. In addition to shortening the mandatory storage period for employees’ personal records (originally this was 50 years following the termination of an individual’s employment), these regulatory innovations may help significantly reduce the costs of conducting business in Poland. Furthermore, maintaining employees’ personal files in electronic form necessitates implementing specialised software that allows for the digitisation of documents, electronic signatures, and storing and sharing such information in an appropriate manner. Digitisation of employees’ personal files is another example of how business entities in Poland are harnessing new technologies to perform everyday tasks.

Copyright-Related Trends and Developments

EU Directive on Copyright in the Digital Single Market

The Directive on Copyright in the Digital Single Market was adopted by Members of the European Parliament at the beginning of 2019. The directive gives authors and publishers the opportunity to protect their interests and strengthen their position against internet giants such as Google. Internet platforms will henceforth be directly responsible for the content published on their websites.

In addition, authors and performers will be able to demand additional adequate remuneration from the distributor in cases where the remuneration originally agreed upon under a licence or a transfer of rights is disproportionately low compared to the actual revenues and the benefits ensuing from the exploitation of a work or the fixation of a performance.

The directive provides for a number of important exceptions. Access to excerpts from press articles is excluded from the scope of the directive on condition, however, that such an excerpt is "very short". What is also important, especially for young entrepreneurs and start-ups providing online content services (ie, entities whose services are publicly available in the European Union for less than three years and whose annual turnover does not exceed EUR10 million) is that the law will be more lenient in terms of their liability. In other words, such entrepreneurs will not be held liable for copyright infringement if they can show that they have made every effort to obtain permits from authorised persons.

EU member states have now two years to draft and enact the appropriate legislation to meet the directive's requirements. Some countries have already adopted the relevant provisions, while others have entered the consultation stage. In Poland’s case, the government has not yet initiated the process of implementing the directive. Instead, the government has decided to refer parts of this legislation to the Court of Justice of the European Union in order to review their compliance with the treaties and to seek their annulment. The government pointed out that these provisions pose a fundamental threat to freedom of expression on the internet and introduce a mechanism that obliges websites to proactively control all content that users want to post. Delays in implementing the directive may negatively impact legal certainty for authors and those entities supplying digital content. On the other hand, however, by analysing those solutions previously adopted by other member states it becomes possible to avoid some of the mistakes made in the past as well as help draft better legislation in Poland.

Constitutional Tribunal judgment on amount of special damages for IP infringements

Despite work on implementing the directive having been suspended, the past year has seen another change in the field of copyright law which may have a significant impact on all sectors of the economy in which copyright-protected works occupy an important place (including the publishing market, media and computer software producers).

The Polish Constitutional Tribunal has resolved the constitutionality of one provision, according to which a rightholder (eg, the author of a work or the buyer of rights to work), whose copyright has been infringed, may request that the infringer repair the damage caused by paying a sum of money equivalent to twice the remuneration that would have been due from using the work with the consent of the rightholder. The Tribunal decided that this provision does not infringe the rights of ownership, other property rights and human freedoms protected by the Polish Constitution.

In its previous ruling of 2015, the Tribunal held that compensation equal to three times the remuneration in such cases would be unconstitutional, arguing, inter alia, that such compensation upsets the balance between the rightholders (authors) and the users of works. In its 2019 ruling, the Tribunal seems to have determined that the correct balance is achieved when compensation is equal to twice the remuneration that would have been due. This ruling brings to an end a lengthy debate on the matter and ensures greater legal certainty for rightholders as well as entities using copyrighted material (including all participants on the IT market).

Tax Credits and Grants Aimed at Stimulating Continuous Growth of the TMT Sector in Poland

To ensure steady growth of the local TMT market and encourage continued innovation and expansion, a modern state must adopt a package of tax credits and grants for entities involved in innovative projects. In light of this fact, the Polish Ministry of Finance decided to introduce a package of tax credits comprising three major instruments: research and development (R&D) tax credit, IP Box and a 50% ATS Scheme.

Research and development (R&D) tax credit

The Polish legislature introduced a research and development (R&D) tax credit into the country’s income tax regulations in 2016. This tax relief mechanism allows the taxpayer to deduct qualifying expenditure from its revenues twice: firstly, by taking into account qualifying expenditure when calculating taxable income, and, secondly, by including up to 150% of qualifying expenditure as a sum deductible from taxable income. There are no restrictions with regard to the effects of R&D activities (eg, they do not need to have a successful outcome) or the ways in which these effects are applied after an entity has qualified for a tax credit. Moreover, no permits or applications are required from the relevant authorities if the taxpayer decides to benefit from tax credits, as the awarding of credits is not dependent on the applicant having any qualified status. Any operating entity involved in creative work is eligible for such tax credits.

IP Box

The second part of the tax credit package, the IP Box, is closely connected with the above-mentioned R&D credit. The IP Box entitles a taxpayer to a preferential 5% income tax rate on revenue from qualifying intellectual property rights. To be eligible for IP Box tax relief a taxpayer’s income must be generated from qualifying IP rights (eg, patent, a protection right over a utility model or copyright on a computer program). Applications for this tax credit are made on a voluntary basis and do not disqualify a taxpayer from applying for other preferential taxes, including R&D tax credits or ATS.

Artist Tax Scheme (ATS)

Last but not least, Polish taxpayers engaged in creative work may benefit from the Artist Tax Scheme (ATS). Under this scheme employees engaged in creative work which has a creative outcome (such as software) are eligible to claim higher tax-deductible costs. To benefit from this tax credit, both the employer and the employee are required to keep meticulous records of all works actually created by the employee in order to prove that the rights to such works have been duly transferred to the employer.

All three elements of the above package are closely interconnected and, in most of the cases, overlap. Applied jointly, the package creates an attractive tax credit for an innovative business entity. The current legislative environment suggests that the innovative tax credits will surely be an ever-present feature in the TMT sector in years to come.

Konieczny Wierzbicki Law Firm

Kącik 4
30-549 Kraków
Poland

+48 12 395 71 61

lukasz.wieczorek@kwkr.pl www.koniecznywierzbicki.pl
Author Business Card

Law and Practice

Authors



Traple Konarski Podrecki & Partners is one of the leading law firms on the Polish market. It specialises primarily in the following areas: intellectual property law, TMT, IT, competition and consumer protection law, fintech, advertising and sales promotion law, real property and public procurement. The TMT team is composed of more than 30 lawyers. The firm's TMT practice group is one of the most experienced in Poland, and constantly advises a large number of Polish and foreign entities operating in the sector. At the moment the firm serves more than 50 TMT clients, some of them not only in Poland but – through the CEE Legal HUB – also in 20 CEE jurisdictions. The legal services the firm provides in this area are focused on telecommunications, radio and television broadcasting; e-commerce; internet law; intellectual property and new technologies (eg, video-on-demand platforms); e-government; and cybersecurity. The firm, on a regular basis, provides legal assistance to both Polish and foreign businesses operating across a wide spectrum of sectors, as well as to public entities. It also acts as a regular expert for numerous commercial and business organisations and associations of artists. The firm, which has its office locations in Warsaw and Kraków, has earned top positions in local and international law firm rankings within the categories of IP, TMT and competition. It has been active on the market for over two decades.

Trends and Development

Authors



Konieczny Wierzbicki Kancelaria Radców Prawnych Spółka Partnerska is composed of 25 experienced legal professionals specialising in various practice areas, including TMT, corporate, real estate, intellectual property and private equity issues. Its main office is located in Kraków. The law firm is recognised for its TMT team, which has great experience in handling multi-jurisdictional TMT-related matters from all over the world. The team has worked on many cutting-edge projects regarding cloud models (eg, SaaS), mobile payments, virtual banking, cloud native software, etc, in most current IT methodologies (ie, agile), as well as drafted and negotiated practically all types of IT contracts. Konieczny Wierzbicki Law Firm has been engaged in works involving companies such as Standard Chartered Bank, CommerzBank, BNP Paribas, Citi Group, Emirates NBD, Allianz, Allstate, Baillie Gifford, First American and Universal. Relevant recent work on behalf of clients includes preparation and negotiation of contracts for provision of specialised IT services to a US-based "unicorn" entity, in which investors are leading global venture capital funds.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.