Contributed by Linklaters.
What are the main data protection-related pieces of legislation and other regulations in Poland?
The primary legal framework governing data protection in Poland is established by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR). The GDPR became directly applicable in all Member States of the EU on 25 May 2018. It constitutes the cornerstone of privacy regulations in Poland.
The GDPR allows the Member States in more than 50 areas to introduce domestic data protection laws to supplement the GDPR. To ensure the application of the GDPR in Poland, the Polish Parliament adopted several national acts, specifying many different aspects of data protection. Such acts include, inter alia, the Act of 10 May 2018 on Personal Data Protection, as amended (Data Protection Act) and the Act of 21 February 2019, amending certain laws to ensure the implementation of the GDPR in Poland (2019 GDPR Implementation Act). The 2019 GDPR Implementation Act amended Polish sectoral laws, such as labor, consumer protection, insurance, banking, and telecommunication laws. In total, it amended 162 different acts.
Consequently, Polish law provides several specificities on top of the GDPR requirements, concerning, inter alia, the processing of employees' data, specific principles for conducting marketing activities, the obligation to translate (or implement) some of the privacy documents into the Polish language (i.e. privacy notices, especially directed at consumers, employees, and job applicants), the obligation to notify the appointment of a data protection officer (DPO) to the Polish data protection authority (Polish DPA) and specific retention periods. Polish law also introduces additional (criminal) penalties for unlawful personal data processing.
Moreover, the Polish DPA has established and made public a list of processing operations that are subject to the requirement for a data protection impact assessment (DPIA List).
Please find below a list of the most relevant local regulations regarding various aspects of data protection in Poland:
- Data Protection Act;
- 2019 GDPR Implementation Act;
- Act of 26 June 1974 Labor Code;
- Act of 4 March 1994 on the Company Social Benefits Fund;
- Act of 18 July 2002 on the Provision of Services by way of Electronic Means;
- Act of 16 July 2004 Telecommunication Law;
- Act of 6 June 1997 Criminal Code;
- Act of 29 August 1997 Banking Law;
- Act of 1 March 2018 on Counteracting Money Laundering and Financing Terrorism;
- Act of 11 September 2015 on Insurance and Reinsurance Activities;
- Communication of the Polish DPA of 17 June 2019 on the list of the processing operations which are subject to the requirement for a data protection impact assessment;
- Various national acts specifying retention periods, such as Act of 29 August 1997 Tax Ordinance.
What are the other primary definitions outlined in the legislation within your jurisdiction (among others, data processing, data processor, data controller, data subject, personal data, sensitive personal data, consent, etc., or equivalent)?
Primary definitions are set out directly in the GDPR.
Personal data
Under the GDPR, personal data is defined as any information relating to an identified or identifiable natural person.
This is a broad term and includes a wide range of information. The GDPR expressly states it includes online identifiers such as cookies.
Data processing
Under the GDPR, processing means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data processor
Under the GDPR, processor means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
Data controller
Under the GDPR, controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data subject
Under the GDPR, data subject means an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special category of personal data
Special category personal data under the GDPR includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health, and natural person’s sex life and sexual orientation.
Consent
Under the GDPR, consent means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Which entities fall under the data privacy regulations in Poland?
Territorial scope of application of the GDPR
The GDPR applies to the processing of personal data in the context of the establishment of a controller or processor in the EU.
It also contains express extra-territorial provisions and will apply to controllers or processors based outside the EU that: (i) offer goods or services to individuals in the EU; or (ii) monitor individuals within the EU. Controllers and processors caught by these provisions will need to appoint a representative in the EU, subject to certain limited exemptions.
The European Data Protection Board has issued Guidelines on the territorial scope of the GDPR (3/2018).
Concepts of controllers and processors
The GDPR contains the concept of a controller, who determines the purpose and means of processing, and a processor, who just processes personal data on behalf of the controller.
The European Data Protection Board has issued Guidelines on the concepts of controller and processor in the GDPR (7/2020).
Both controllers and processors are subject to the rules in the GDPR, but the obligations placed on processors are more limited.
Manual and electronic records
The GDPR applies to both electronic records and structured hard-copy records.
National derogations
The GDPR does not apply to law enforcement activities which are instead subject to the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (Law Enforcement Directive). The GDPR also does not apply to areas of law that are outside the scope of Union law, such as national security, and does not apply to purely personal or household activity.
Furthermore, the Data Protection Act excludes the application of the GDPR in several fields. Fully exempt are the activities of special forces as well as the processing of personal data by entities of the public finance sector if such processing is necessary for the execution of tasks that are aimed at ensuring national security.
The GDPR is also partially excluded from application in the scope of editing, preparing, or publishing press materials, and in the scope of literary or artistic activities (e.g., there is an exemption to the obligation to provide privacy notices).
Moreover, data controllers conducting public services are exempted from complying with certain obligations to provide privacy notices and respond to subject access requests where it is related to the performance of public duties, and exercising these provisions may breach the protection of classified information or prevent or significantly obstruct the proper execution of a public service.
Do specific sectors or types of data have distinct regulatory regimes within your jurisdiction? If so, which?
Specific sectors
Specific sectors have distinct regulatory regimes within Polish jurisdiction. Sectoral laws (e.g., for banks, telecommunications operators, and healthcare service providers) impose additional security obligations on data controllers. They include, inter alia, the following:
- Healthcare sector:
- Medical Activities Act of 15 April 2011;
- Act on Patients’ Rights and the Commissioner for Patients’ Rights of 6 November 2008;
- Act on the Healthcare Information System of 28 April 2011; and
- Act on Clinical Trials of Medicinal Products for Human Use of 9 March 2023;
- Telecommunication sector: Telecommunication Law of 16 July 2004;
- Energy sector: Energy Law Act of 10 April 1997;
- Financial sector: Payment Services Act of 19 August 2011; Act on Counteracting Money Laundering and Terrorist Financing of 1 March 2018; Act on the Principles of Obtaining Information About the Criminal Record of Persons Applying for Employment and Persons Employed in Entities of the Financial Sector of 12 April 2018; Financial Instruments Trading Act of 29 July 2005;
- Insurance sector: Insurance and Reinsurance Activity Act of 11 September 2015;
- Banking sector: Banking Act of 29 August 1997.
Employees’ data
Act of 26 June 1974 Labor Code (Labor Code) includes a list of categories of personal data of employees and job applicants that can be processed by employers or potential employers. The consent of an employee or a job applicant may constitute a valid legal basis for personal data processing in some cases and would fall within the scope provided for in the Labor Code.
The Labor Code also includes specific provisions for employee monitoring. It is strictly prohibited to monitor the premises entrusted to trade union organizations. It is also prohibited to monitor sanitary rooms, cloakrooms, canteens, and smoking rooms unless the monitoring in these rooms is necessary to ensure the safety of employees, the security of the property, the production control, or to keep the confidentiality of the information, disclosure of which could expose the employer to harm.
E-mail monitoring and other forms of employee monitoring are also allowed, but specific rules set out in the Labor Code must be followed.
Further, the recent amendments to the Labor Code introduced a legal basis for conducting sobriety tests of employees and provided rules for the processing of sensitive personal data in the form of information on the results of sobriety tests (data concerning health).
The Labor Code also includes specific provisions regarding remote working (the employer is obliged to define procedures for the protection of personal data by employees working remotely and to provide instruction and training in this regard, where necessary).
The protection of employees' personal data is also specified by other Polish laws. For example, the processing of employees’ personal data for the purposes of running the company social benefits fund is regulated by Act of 4 March 1994 on the Company Social Benefits Fund (Company Social Benefits Fund Act). Among other things, the Company Social Benefits Fund Act imposes conditions on allowing only persons with written authorization to process certain categories of personal data and an obligation to review and erase personal data collected for the purposes of running the company social benefits fund at least once per calendar year, if processing them is no longer necessary.
In addition, legislation concerning processing information about criminal offenses in the financial sector has been in force since June 2018. It gives employers from the financial and banking sector an explicit right to check criminal records with respect to certain employees and job applicants, including employees employed in, and job applicants applying for, a position requiring access to confidential data or making high-risk decisions. It includes a broad list of financial sector entities that fall within the scope of its application and sets out the specific requirements for processing information about criminal offenses of job applicants and employees.
What rights do data subjects have under the data protection regulations in Poland?
Data subjects in Poland generally have the same rights as those under the GDPR.
Right to access information
Data subjects have a right to access copies of their personal data by making a written request to the controller. The initial request is free, though a charge can be made for subsequent requests. Controllers can refuse the request if it is manifestly unfounded or excessive. The right to obtain a copy of personal data should not adversely affect the rights and freedoms of others. The response must be provided within a month, though this can be extended by two months if the request is complex.
Right to data portability
Data subjects also have a right to data portability where the condition for processing personal data is consent or the performance of a contract. It entitles individuals to obtain any personal data they have “provided” to the controller in a machine-readable format. Individuals can also ask for the data to be transferred directly from one controller to another. There is no right to charge fees for this service.
Right to be forgotten
A data subject can ask that their data be deleted in certain circumstances. However, those circumstances are relatively limited, for example where the processing is based on consent, that consent is withdrawn and there are no other grounds for processing. Even where the right does arise, there are a range of exemptions, for example where there is a legal obligation to retain the data.
Objection to direct marketing
A data subject can object to their personal data being processed for direct marketing purposes at any time. This includes profiling to the extent related to direct marketing.
Other rights
The GDPR contains a range of other rights, including the right to have inaccurate data rectified. There is also a right to object to processing being carried out in the performance of a public task or under the “legitimate interests” condition.
Finally, there are controls on making decisions based solely on automated decision-making that produce legal effects or similarly significantly affect the data subject.
What is the territorial application of the data privacy regime in your jurisdiction?
In Poland, the territorial application of the data privacy regime is primarily governed by the GDPR, which is directly applicable in all EU Member States, including Poland. The GDPR has an extraterritorial scope and applies not only to entities based within the EU but also to organizations outside the EU if they process the personal data of individuals who are in the EU in connection with:
- the offering of goods or services to such individuals in the EU, regardless of whether a payment is required;
- the monitoring of their behavior, as far as their behavior takes place within the
In summary, the territorial application of the data privacy regime in Poland covers entities operating within Poland, Polish entities processing data outside of Poland, and non-Polish entities processing personal data of individuals located in Poland in the context of offering goods, services, or monitoring their behavior.
What are the key factors and considerations to adhere to when engaging in the processing of personal data within your jurisdiction?
When planning processing activities in Poland, it is essential to consider several key factors. These include regulations concerning employees' personal data, the need to maintain some documentation in the Polish language, and the requirement to inform the Polish DPA of an appointment of a DPO. Furthermore, the appointment of a DPO carries additional responsibilities. Controllers are also obliged to conduct the data protection impact assessment (DPIA) under circumstances specified by the Polish DPA. Additionally, compliance with specific data retention periods mandated by Polish law, and obligations related to marketing activities, which are detailed below, ought to be factored in.
Use of Polish language in data protection documentation
The obligation to provide information to data subjects in Polish results from the Act of 7 October 1999 on the Polish Language, according to which any communication with the consumers must be in Polish. This means that privacy notices directed at consumers in Poland must be prepared or translated into Polish. The same applies to employment relationships. Moreover, according to the Transparency Guidelines under Regulation 2016/679 issued by the Article 29 Working Party, if the controller directs information to data subjects who speak another language or languages, a translation in that language or those languages should be provided by the controller.
Moreover, under the Data Protection Act, the Polish DPA may request to translate GDPR documentation into Polish at the expense of the party in the course of the proceedings. It is therefore recommendable for Polish entities to prepare and implement internal privacy documentation in the Polish language.
Obligation to notify the appointment of a DPO to the Polish DPA
Under Article 10 of the Data Protection Act, an entity that appoints a DPO shall notify the Polish DPA of the appointment within 14 days of the appointment. The Data Protection Act specifies what information must be included in such notification.
Additional obligations regarding DPO appointment
Under the Data Protection Act, an entity that appoints a DPO shall make the DPO's name, surname, and e-mail address or telephone number available on its website immediately after such appointment or, if it does not maintain its own website, in a manner publicly accessible at the place of business.
DPIA List
The Polish DPA has published the DPIA List to specify what processing activities require conducting a DPIA. For example, in Poland, using systems for monitoring employees' working time and the flow of information in the tools they use (e-mail, Internet) or customer profiling systems to identify purchase preferences requires conducting a DPIA. The DPIA List should be taken into account while carrying out a risk assessment for Polish entities.
Marketing Activities
In order to legally process personal data as part of marketing activities carried out in Poland, in addition to the GDPR, the provisions of the following national laws must be taken into account: (i) Act of 18 July 2002 on the Provision of Services by way of Electronic Means (ECA) and (ii) Act of 16 July 2004 Telecommunication Law (TL). Moreover, over the years, there have been numerous interpretations and decisions published by competent authorities (Polish DPA, the President of the Office of Electronic Communications, and the President of the Office of Competition and Consumer Protection), which have clarified the requirements for individual consents collected for marketing purposes.
Article 172(1) of the TL and Articles 10(1) and (2) of the ECA, require consents for, respectively:
- the use of telecommunications terminal equipment and automatic calling systems for direct marketing purposes; and
- the sending of commercial information addressed to a designated recipient who is a natural person by means of electronic
With regard to the criteria that these consents should meet, the ECA and the TL refer to data protection legislation. This means that the consents collected from Poland should satisfy the requirements set out in the GDPR. However, in Poland, there have been several decisions clarifying what the various supervisory authorities consider to be “valid consent.” For example, it follows that the different channels of communication used for direct marketing purposes (SMS, e-mail, etc.) should be specified, and data subjects should be allowed to consent to each of the channels of communication separately.
Moreover, the use of cookies is subject to the conditions set out in Article 173 of the TL. According to this provision, the use of cookies is allowed provided that:
- the user is informed in advance, in an unambiguous, easy, and understandable manner, of the purpose of storing and accessing the information collected through cookies and of the possibility of changing the cookie settings via the software installed on the user's terminal equipment;
- the user consents to the use of cookies; and
- the installation or use of cookies will not result in any configuration changes on the user's terminal equipment or on the software installed on that
Although under Article 173(2) of the TL consent for cookies can be given via browser settings, the Polish DPA has taken the view that such consent should be actively obtained by the controller (therefore, reliance on the user's browser settings is not a recommended solution).
The ECA also specifies in Article 18 the categories of personal data that may be processed in connection with the provision of electronic services, including for the conclusion of contracts and for the purposes of advertising, market research, and research into customer behavior and preferences to improve the quality of the service provided by the service provider, and introduces consent requirements for certain of these processing activities.
Specific retention periods
It is also necessary to consider retention periods resulting from various Polish laws, which will be further described below.
What are the regulations and best practices concerning the retention and deletion of personal data in Poland?
There are specific retention periods resulting from numerous Polish laws. The most relevant retention periods result from laws regarding personal data collected in the context of employment/HR, taxes, accounting, concluding contracts, court proceedings, etc. Retention periods usually result from specific Polish laws, therefore it is not possible to implement a group data retention policy without adjusting it to Polish law requirements first. Determining all relevant retention periods requires a case-by-case analysis including mapping and examining processing activities. Organizations should document their data retention and deletion policies, clearly stating the criteria for determining retention periods and the procedures for data deletion or anonymization. When data is no longer needed, it should be securely deleted or anonymized so that it can no longer be associated with an individual.
Who serves as the regulatory authority(s) in your jurisdiction regarding data protection?
The Data Protection Act appointed a new supervisory authority in Poland, namely the President of the Office of Personal Data Protection. This Office replaced the Inspector General for Personal Data Protection which office ceased to exist as of May 25, 2018.
The President of the Office of Personal Data Protection (Office of Personal Data Protection)
Stawki 2
00-193 Warsaw
https://uodo.gov.pl/
The President of the Office of Personal Data Protection represents Poland on the European Data Protection Board.
Is the appointment of a Data Protection Officer mandatory for certain organizations or sectors in Poland, and under what conditions?
The conditions for the necessity of appointing a DPO in Poland derive from Article 37 of the GDPR. Both controllers and processors must appoint a data protection officer if: (i) they are a public authority; (ii) their core activities consist of regular and systematic monitoring of data subjects on a large scale; or (iii) their core activities consist of processing special category personal data on a large scale (including processing information about criminal offenses).
DPOs must also be appointed where required by national law. However, Poland has not made such an appointment mandatory in the private sector in any additional circumstances.
How should data breaches be handled in your jurisdiction?
A personal data breach must be notified to the relevant supervisory authority unless it is unlikely to result in a risk to data subjects. The notification must, where feasible, be made within 72 hours. If the personal data breach is a high risk for data subjects, those data subjects must also be notified.
Specific laws on data breach notifications apply to the electronic communications sector under the national laws implementing the Privacy and Electronic Communications Directive (ePrivacy Directive) and to operators of essential services and digital service providers under national laws implementing the Network and Information Systems (NIS) Directive. The regulatory landscape in this regard is set to evolve soon, with the Polish Parliament actively working on legislation to implement the NIS2 Directive. This forthcoming legislation will broaden the scope of responsibilities, introducing enhanced notification requirements for a wider range of organizations.
Pursuant to the Data Protection Act, the President of the Office of Personal Data Protection may introduce an online system enabling controllers to report personal data breaches. The President of the Office of Personal Data Protection has created such a system that enables notification of personal data breaches in electronic form.
What are the potential penalties and fines for non-compliance with data protection regulations in Poland?
Administrative Fines
The GDPR is intended to make data protection a boardroom issue. It introduces an antitrust-type sanction regime with fines of up to 4% of annual worldwide turnover or EUR 20 million, whichever is greater. These fines apply to breaches of many of the provisions of the GDPR, including failure to comply with the six general data quality principles or carrying out processing without satisfying a condition for processing personal data.
A limited number of breaches fall into a lower tier and so are subject to fines of up to 2% of annual worldwide turnover or EUR 10 million, whichever is greater. Failing to notify a personal data breach or failing to put an adequate contract in place with a processor falls into this lower tier.
Fines can only be imposed where there is an intentional or negligent infringement of the GDPR, see CJEU judgment in the Deutsche Wohnen case (C-807/21).
The Data Protection Act lowers the level of these administrative fines for public authorities. The fines for public authorities cannot exceed PLN 100,000 (approximately EUR 23,000).
The Data Protection Act also introduces criminal fines that can be imposed on an individual as a result of a criminal conviction for criminal offenses related to data protection, such as unlawful data processing or hindering inspection proceedings. Their value is determined by the Criminal Code.
Criminal sanctions
The Data Protection Act also provides that persons who process personal data unlawfully or without authorization face a criminal fine, restriction of personal liberty, or imprisonment of up to two years (three years if such processing concerns special categories of data).
A criminal fine, restriction of personal liberty, or imprisonment of up to two years may also be imposed as a criminal sanction for hindering inspection proceedings.
Compensation
Data subjects have a right to compensation in respect of material and non-material damage. This requires more than a mere infringement of the GDPR and there must be actual material or non-material damage; however, there is no minimum threshold of seriousness before compensation is available, see CJEU judgment in the Oesterreichische Post case (C-300/21).
Are there any noticeable patterns or trends in how enforcement is carried out in Poland?
Trends in enforcement
To date, the majority of GDPR fines issued in Poland have targeted businesses in the industry and commerce, media, telecoms and broadcasting, finance, and insurance sectors. However, the Polish DPA has not limited its oversight to these sectors specifically. In Poland, the predominant reasons for GDPR penalties have been the lack of adequate legal grounds for data processing (as per GDPR Articles 5 and 6), shortcomings in information security (Article 32), or the inadequate execution of the obligation to notify of data breaches (Articles 33 and 34).
Sectoral inspection plans
Further, the Polish DPA announces annually the sectoral inspection plans. Every year, the authority indicates which business sectors or specific processing operations will be subject to increased regulatory scrutiny and potential enforcement for failure to comply. This year, the plan includes three points, one of which relates to public authorities processing personal data in the Schengen Information System (SIS) and Visa Information System (VIS). However, the other two points of the plan are relevant to businesses across all sectors in the private sector. The list includes entities processing personal data using Internet (web) applications. The Polish DPA specifies that it will verify the method of securing and sharing personal data processed in connection with the use of these web applications. The Polish regulator will also focus this year on verifying the correct fulfillment of information obligations by private sector entities.
Highest GDPR fines in Poland
The three most substantial fines issued in Poland to date – against Fortum Marketing and Sales Polska S.A., Morele.net, and Virgin Mobile Polska sp. z o.o. – were due to the companies not having robust organizational and technical protections, which resulted in unauthorized access to stored personal data. The most severe penalty imposed under the GDPR in Poland thus far is the PLN 4.9 million fine (about EUR 1.08 million) levied on Fortum Marketing and Sales Polska S.A. after a security breach exposed the personal data of 137,314 individuals. This breach was facilitated by unauthorized access to a server, a situation that could have been prevented with proper security measures, which the company’s processor failed to implement. The Polish DPA has established that the controller, failing to properly verify the processor, should bear responsibility for the breach. Judgment is currently pending before the Supreme Administrative Court, with the final verdict yet to be confirmed.
In September 2019, Morele.net was fined EUR 660,000 for insufficient organizational and technical safeguards, which according to the President of the Office of Personal Data Protection did not prevent the violation of the integrity of the Morele.net platform against organized hacker attacks in November and December 2018. As a result of these attacks, personal data (including PESEL number) of over 2.2 million of Morele.net’s clients were stolen, and hackers carried out attempts to extort fake payments. Morele.net appealed the decision and it was eventually annulled by the Supreme Administrative Court in February 2023. In the Court’s view, the mere effect of the attack (successful hacking of the company’s IT systems) is not proof that the data controller did not implement appropriate safeguards. In addition, the Court noted that the President of the Office of Personal Data Protection should have appointed an expert witness in the proceedings. The President of the Office of Personal Data Protection reconsidered the case and imposed an even higher fine on the controller in the amount of EUR 810,000 in February 2024, which is so far the second-highest fine imposed in Poland under the GDPR.
In December 2020, Virgin Mobile Polska was fined EUR 460,000 for failing to implement appropriate technical and organizational measures that would ensure an adequate level of IT security. Owing to this, they suffered a data breach whereby the personal data of 114,963 customers was accessed by an unauthorized person, in the scope of name and surname, PESEL registration number, series and number of ID card, telephone number, and NIP number. Due to the scope of the personal data disclosed, the breach resulted in a high risk to the rights and freedoms of natural persons.
Statistics from the Polish DPA’s annual report
According to the annual report published by the Polish DPA in 2023:
- in 2022, the Polish DPA received 6,995 complaints from data subjects;
- the proceedings were completed in 6,479 cases, of which 1,830 resulted in administrative decisions;
- Polish DPA received 12,722 reports of data breaches (a similar number compared to 2021);
- Polish DPA imposed 20 administrative fines, in the total amount of PLN 7,850,861;
- sector inspections were carried out at 40 entities, eight of which were initiated as a result of learning of the data breach by the Polish
New Head of the Office
With the recent appointment of a new individual for the function of the President of the Office of Personal Data Protection, future enforcement practices may diverge, reflective of the new leadership's priorities and viewpoints.
How do emerging technologies such as AI, IoT, and blockchain impact data protection considerations in Poland?
Emerging technologies like Artificial Intelligence (AI), the Internet of Things (IoT), and blockchain are significantly influencing data protection considerations in Poland, as they do globally.
Artificial intelligence
AI systems have the ability to analyze and process large volumes of data, encompassing personal information, which empowers them to learn, make choices, and provide insights. At the same time, AI systems bring various issues regarding privacy, including but not limited to, valid consent, adherence to data minimization principles, and the implications of automated decision-making. Moreover, AI poses significant challenges to the rights of individuals, such as the right to erasure (the right to be forgotten). Addressing these concerns will predominantly require interpretation and application of the GDPR and the forthcoming Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and Amending Certain Union Legislative Acts (AI Act) which has been recently adopted by the European Parliament and should enter into force in the coming weeks.
According to the press release of the Polish DPA, the Polish supervisory authority is in the process of developing guidance for the design and adjustment of national legislation to meet data protection standards in relation to AI systems utilization. This guidance is intended to be a resource for the parliament during legislative deliberations regarding AI.
IoT
IoT services depend on the exchange of data between interconnected devices or between these devices and central infrastructure. Consequently, compliance with the privacy laws necessitates the consideration of multiple requirements. One of the main considerations is the fact that smart devices usually need access to data collected by other devices via the IoT and vice versa. Such access might, however, increase the risk of data breaches.
The Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonized rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (EU Data Act) imposes new obligations on those providing “connected products” (i.e., devices that collect data and communicate that data via an electronic communications service) and related services. The obligations generally relate to “product data” (which is data intended to be retrieved from the connected product) and service data.
In Poland, authorities have not yet responded to the challenges resulting from IoT and it is yet to be determined whether the government will pursue a path toward tighter regulation of IoT business models, as has been done, for example, in the UK.
Blockchain
The decentralized structure of blockchain networks and the enduring nature of the data recorded on them present two main categories of challenges for personal data processing with this technology.
The primary challenge involves clarifying roles in accordance with the GDPR. The definition of these roles will significantly influence how responsibilities and liabilities are distributed among participants within the blockchain network, and this allocation will vary based on the conceptual framework adopted.
The second challenge is associated with upholding the rights of individuals whose data are being processed. This includes the right to be informed about who is processing their data, in what manner, and for what duration. There is also the right to have the data rectified or to stop the processing. The immutable nature of data stored on the blockchain complicates, and in some cases may preclude, the fulfillment of these rights.
Poland is planning to enact a cryptocurrency law to align with the provisions of EU Regulation 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (MICA Regulation), which governs cryptocurrency markets. This upcoming legislation aims to bolster customer and investor safeguards and uphold the cryptocurrency market's integrity. The Polish DPA has reviewed a preliminary draft of the law and highlighted certain areas that require further clarity, particularly concerning the personal data protection of market participants.
Despite the EU's cryptocurrency regulation directly referencing the GDPR, the Polish DPA suggests that incorporating specific personal data protection management guidelines into national law could be beneficial. Such provisions would minimize ambiguity when determining the roles and obligations of entities processing personal data. For instance, there is a need for clarity regarding the mandatory data protection impact assessment stipulated in Article 35 of the GDPR, as well as the implementation of suitable technical and organizational measures as per Article 25 of the GDPR, especially considering the extensive data processing that occurs with emerging technologies like distributed ledger technology.
Are there any expected changes in data protection on the horizon in the next 12 months in Poland?
Within the next 12 months, there is a possibility that some new regulations will be enacted that could impact the requirements for data protection and privacy obligations in Poland.
Whistleblowing
A proposed Polish act concerning whistleblower protection which aims to implement the Directive (EU) 2019/1937 (Whistleblowing Directive) into the Polish legal system is currently in the process of parliamentary works. The Whistleblowing Directive focuses on establishing robust measures for the safeguarding of individuals who report breaches of EU law. The draft Polish law on whistleblowing provides for some additional provisions regarding data protection, such as providing a specific data retention period for processing operations regarding whistleblowing. Moreover, the personal data of the whistleblower, which could reveal their identity, shall not be disclosed to unauthorized individuals unless the whistleblower provides explicit consent.
The draft Polish law on whistleblowing raises some concerns regarding the absence of provisions specifying which personal data can be used to identify whistleblowers, which could ensure a uniform catalog of data categories in various registries and be in line with the data minimization principle. Additionally, the draft fails to address the processing of special category data, despite the potential for reports to reveal the political opinions or beliefs of the alleged violator. Changes in this regard may be introduced at the stage of ongoing parliamentary works.
Most of the provisions are anticipated to take effect three months following publication of the act in the Journal of Laws.
Cybersecurity
Cybersecurity is fundamentally connected to the safeguarding of personal data. On April 24, 2024, a proposed revision of the National Cyber Security System Law was released by the Polish government, which aims to implement the NIS2 Directive. This proposal addresses the escalating necessity for enhanced cybersecurity measures within Poland and strives to align domestic policies with those of the European Union. The forthcoming changes will substantially broaden the range of organizations that fall under the regulation's purview, mandate that companies determine for themselves whether they classify as either a key or important entity according to the law (self-identification), and raise the fines for non-compliance with cybersecurity responsibilities significantly.
Electronic Communications Law
On May 7, 2024, the government adopted a draft law to replace the current Act of 16 July 2004 Telecommunication Law, which will provide a new regulatory framework for electronic communications in Poland (Electronic Communications Law). The primary purpose of the draft law is to implement the provisions of Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code into the national legal order. It contains provisions comprehensively regulating the electronic communications sector, defining the rights and obligations of regulatory authorities, entrepreneurs, and end users (including consumers). The new Electronic Communications Law will comprehensively regulate, among other things, the performance of activities involving the provision of electronic communications services, the regulation of electronic communications markets, as well as the rights and obligations of users, the principles of telecommunications data processing and the protection of electronic communications secrecy. It will also set out new rules of data processing in the provision of publicly available electronic communications services.
The Electronic Communications Law will now be the subject of parliamentary works. The new laws are expected, in principle, to come into force three months after publication in the Journal of Laws.