-
Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered by them; what sectors, activities or data do they regulate; and who enforces the relevant laws).
DATA PROTECTION AND PRIVACY
Since 25 May 2018, the principal data protection legislation in Poland has been Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) (“GDPR”).
There is further general legislation that impacts data protection. The key laws are:
- Protection of Personal Data Act of 10 May 2018.
This specifies in particular:
- the procedure for notifying the appointment of a Data Protection Officer (“DPO”);
- the conditions of accreditation of the entity authorised to certify in the field of personal data protection;
- the procedure for approving codes of conduct;
- monitoring compliance with the personal data protection provisions; and
- criminal liability for violating such provisions.
- The Telecommunications Act of 16 July 2004 (ePrivacy Directive implementation, revised by Directive 2009/136). In practice, this applies to every entrepreneur with a website.
Article 173 of the Telecommunications Act is a general provision and applies to every entity that uses technology such as cookies, regardless of the nature of the data being stored or accessed.
It sets a specific standard for all entities (regardless of the sector – online, mobile, e-commerce, other information society services (“ISS”), connected vehicles, etc.) that wish to store or access information stored not only on computers, but in all terminal equipment (smartphones, smart TVs, etc.).
The obligation to meet additional requirements applies largely to commonly used solutions, starting from collecting information for statistical purposes or behavioural marketing (client profiles), through anti-fraud tools used by website operators (e.g. for ‘clickbot’ detection), to building an online advertising network.
The Telecommunications Act of 16 July 2004 will probably be replaced by a new regulation soon.
- Labour Code of 23 December 1997.
This regulates, among others, the scope of data that the employer may request from the employee or the right to monitor employees.
- Protection of Personal Data Processed in Connection with Preventing and Combating Crime Act of 14 December 2018 (Police Directive implementation).
This regulates the area excluded from the application of the GDPR, i.e. the processing of personal data by competent authorities for the purposes of crime prevention, conducting preparatory proceedings and detecting offences.
- Articles 101 and 102 of the Treaty on the Functioning of the EU (regarding the definition of the term ‘undertaking’).
According to recital 150 of the GDPR, where administrative fines are imposed on an ‘undertaking’, an ‘undertaking’ should be understood in accordance with Articles 101 and 102 TFEU for those purposes (which unfortunately may have an adverse effect on the amount of the fine from the entrepreneur’s perspective).
CYBERSECURITY
European Union – Key Applicable Laws:
- Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union. The NIS Directive continues to have legal effects and we refer to it in this document. However, the NIS 2 Directive (2022/2555) has already been adopted in the EU, with the date of transposition: 2024
- Regulation (EU) 2019/881 on European Union Agency for Cybersecurity (ENISA) and on information and communication technology cybersecurity certification – under this regulation, soon there will be a uniform system of certification of cybersecurity of ICT in the EU – allowing for easier verification of the level of cybersecurity provided by organisations.
- Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market.
- Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).
- Directive (EU) 2015/2366 on payment services in the internal market (PSD2).
Poland – Key Applicable Laws:
- Criminal Code of 6 June 1997;
- Labour Code of 26 June 1974;
- Civil Code of 23 April 1964;
- NCS (NIS Directive implementation; NCS will probably be upgraded to NIS 2 Directive requirements soon);
- Trust Services and Electronic Identification Act of 5 September 2016;
- Data Protection Act of 10 May 2018;
- Suppression of Unfair Competition Act of 16 April 1993;
- Competition and Consumer Protection Act of 16 February 2007;
- Telecommunications Law of 16 July 2004 (will probably be replaced by a new regulation soon);
- Crisis Management Act of 26 April 2007;
- Payment Services Act of 19 August 2011;
- Classified Information Protection Act of 5 August 2010; and
- Recommendations and Instructions of the Financial Supervision Commission (KNF) concerning management of information technologies and security of the ICT environment.
-
Are there any expected changes in the data protection, privacy and cybersecurity landscape in 2023-2024 (e.g., new laws or regulations coming into effect, enforcement of any new laws or regulations, expected regulations or amendments)?
Changes in the Polish law
The biggest recent development in Polish data protection relates to the amendments to the Labour Code:
- which provides new rules that enable employers to run sobriety tests or tests for use of illegal substances by employees. A set of new rules enable employers to legally process data gathered without the consent of the data subject;
- dealing with remote work regulations: requires employers to separately regulate personal data processing in case of such work.
EU’s Digital Services Package
Following the adoption of the Digital Services Package in the first reading by the European Parliament in July 2022, both the Digital Services Act and Digital Markets Act have been adopted by the Council of the European Union, signed by the Presidents of both institutions and published in the Official Journal.
The DSA has been published in the Official Journal as of 27 October 2022 and came into force on 16 November 2022. The DSA will be directly applicable across the EU and will apply fifteen months or from 1 January 2024, whichever comes later, after entry into force.
For online platforms, they must publish their number of active users by 17 February 2023. If the platform or a search engine has more than 45 million users (10% of the population in Europe), the Commission will designate the service as a very large online platform or a very large online search engine. These services will have 4 months to comply with the obligations of the DSA, which includes carrying out and providing the Commission with their first annual risk assessment. EU Member States will have to appoint Digital Services Coordinators by 17 February 2024, when also platforms with less than 45 million active users have to comply with all the DSA rules.
As of 12 October 2022, the DMA was published in the Official Journal and entered into force on 1 November 2022. Before 3 July 2023, companies have to provide the Commission with information about their number of users so that the Commission can designate “gatekeepers” before 6 September. Gatekeepers will then have until March 2024 to ensure that they follow the obligations of the DMA.
Other changes
In the near future, EU Member States will dedicate a lot of involvement to national regulations in order to ensure the implementation of:
- the NIS 2 Directive (2022/2555) of 14 December 2022 on measures for a high common level of cybersecurity across the Union, with the date of transposition: 2024;
- the EU Electronic Communications Code – adopted in 2018. These rules apply to all electronics communication services in the EU. The Code has not been adopted by all EU countries (including Poland). The Body of European Regulators for Electronic Communications (BEREC) has developed a significant number of guidelines, which aim to promote a consistent application of the Code and contribute to its successful implementation. The Commission will publish its first review of the functioning of the Code at the end of 2025 and follow up with a report every 5 years.
-
Are there any registration or licensing requirements for entities covered by these laws, and, if so, what are the requirements? Are there any exemptions?
For information regarding notification of a DPO, please see question 17,
For information regarding the reporting of data breaches, please see question 31.
The reporting of data processing operation
The controller is required to report and consult the supervisory authority when, after conducting a DPIA, it appears that it creates a high risk of violation of rights and freedoms, and the controller cannot implement sufficient measures to reduce such risk to an acceptable level. Registration/notification is required for any controller who is subject to the GDPR and intends to start a processing operation meeting the notification obligation.
The notification should include:
- the identity and the contact details of the controller;
- the respective responsibilities of the controller, joint controllers and processors involved in the processing;
- the purposes and means of the intended processing;
- the measures and safeguards provided;
- the contact details of the DPO;
- the DPIA; and
- any other information requested by the supervisory authority.
Failure to comply with such obligation may result in the imposition of an administrative fine of up to EUR 10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover.
-
How do these laws define personal data or personally identifiable information (PII) versus special category or sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
“Personal Data” means any information concerning an identified or identifiable natural person.
To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, either by the controller or by another person, to identify the natural person directly or indirectly. When assessing whether the means are of this nature, all objective factors should be taken into consideration – costs, time, technology, etc.
Examples of personal data include: name; identification number; location data; online identifier, such as an IP address; ID cookie (especially when combined with marketing data); and other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.
“Sensitive personal data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data (if processing for the purpose of uniquely identifying a natural person), data concerning health or a natural person’s sex life or sexual orientation (closed catalogue).
Other key definitions:
- “Processing”
Any operation or set of operations which is performed on personal data, whether or not by automated means.
In other words, “processing” means any action taken on personal data during “the lifetime of the information” – including the collection of personal data (initial stage) and their deletion (last stage). Any other operations, such as profiling or pseudonymisation, shall also be considered as “processing”.
- “Controller”
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
The GDPR establishes the responsibility and liability of the controller for any processing of personal data carried out on the controller’s behalf.
- “Processor”
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- “Data Subject”
An identified or identifiable natural person; an individual who is the subject of the relevant personal data – in other words, any person whose personal data are being processed.
The protection afforded by the GDPR applies to natural persons, whatever their nationality or place of residence.
The GDPR does not cover the processing of personal data which concern legal persons, including the name, form and contact details.
- “Data Breach”
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- “Pseudonymisation”
The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
-
What are the principles related to the general processing of personal data or PII. For example, must a covered entity establish a legal basis for processing personal data or PII in your jurisdiction, or must personal data or PII only be kept for a certain period? Please outline any such principles or “fair information practice principles” in detail.
The key principles that apply to the processing of personal data:
- “Transparency”
Personal data must be processed lawfully, fairly and in a transparent manner. Controllers must provide certain minimum information to data subjects regarding the collection and further processing of their personal data. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
When collecting personal data via the Internet, including mobile devices, providing information in a multi-layered manner is good practice (in some cases, it may even be considered an obligation).
- “Lawful basis for processing”
The GDPR provides an exhaustive list of legal bases for processing.The following are the most relevant for businesses: (i) consent of the data subject; (ii) contractual necessity; (iii) compliance with legal obligations; or (iv) legitimate interests (pursued by the controller or by a third party), except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
The GDPR requires stronger grounds to process sensitive personal data (compared to “regular” personal data; there is no possibility to rely on the contract or legitimate interest).
- “Purpose limitation”
Personal data may only be collected for specified, explicit and legitimate purposes, and must not be further processed in a manner that is incompatible with those purposes. If a controller wishes to use the relevant personal data in a manner that is incompatible with the purposes for which they were initially collected, it must: (i) inform the data subject of such new processing; and (ii) be able to rely on a lawful basis as set out above.
Having a legal basis for processing for a specific purpose does not mean the possibility of using all potentially valuable personal data for its implementation (which data may be collected for a specific purpose is determined by the principle of minimisation, as set out below).
- “Data minimisation”
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.
- “Proportionality”
The need to maintain appropriate proportions of the scope of data for the purposes of processing and to process only such data that are necessary for the implementation of specific purposes.
- “Retention”
Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
It is good practice (sometimes even an obligation resulting from the accountability requirement) to implement internal data review procedures to determine the maximum storage period.
- “Accountability”
The controller is responsible for, and must be able to demonstrate, compliance with the data protection principles.
In the case of automated processing, this means, in particular, the need to ensure that relevant information is recorded in IT system logs.
- “Data security (integrity and confidentiality)”
Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, using appropriate technical or organisational measures.
The provisions do not specify measures to be implemented (due to the technological and organisational neutrality of the GDPR). The burden of choosing each specified measure to ensure data security lies with the controllers. Such an approach causes uncertainty, but also allows controllers to focus on areas where data processing can result in a “high risk” (for privacy). Far-reaching safeguards will not always be needed in cases of “low risk” processing.
- “Accuracy”
Personal data must be accurate and, where necessary, kept up to date. A business must take every reasonable step to ensure that personal data that are inaccurate are either erased or rectified without delay.
-
Are there any circumstances where consent is required or typically used in connection with the general processing of personal data or PII?
The processing of personal data itself may generally be based on legal grounds other than consent. Sometimes, however, the laws will require obtaining consent from the data subject for specific activities, and such consent must meet the requirements of the GDPR. This applies to:
Sending commercial information
Sending commercial information (intended directly or indirectly to promote the goods, services or image of the entrepreneur) to a designated recipient by means of electronic communication (via email, SMS, webpush, Messenger, WhatsApp, etc.) requires his/her consent (“opt-in” system).
The obligation to obtain consent applies to sending commercial information to natural and also legal persons (although there are some doubts in this respect).
Marketing i.a. by telephone
The use of telecommunications terminal equipment and automated calling systems for direct marketing purposes requires consent (“opt-in” system).
This means that telephone contact for marketing purposes also requires the prior approval of the recipient of such activities. This requirement applies to activities targeted at each entity (B2C and B2B, regardless of whether it is a natural or legal person). In the case of natural persons, however, the telephone number will also constitute personal data (regardless of the aforementioned requirements – the telephone marketing entity must also provide a legal basis for data processing for this purpose).
Marketing by post (targeted at a specific entity)
Although such actions do not have to meet additional requirements such as in the case of electronic or telephone marketing, it is necessary to meet the requirements of the GDPR.
This means the need to provide a legal basis for such action (generally, it will be a legitimate interest resulting from the seller–customer relationship). However, it cannot be ruled out that in some cases – especially when there is no such relationship between the controller and the data subject – it will be necessary to have consent in order to conduct marketing by post.
Cookies or similar technologies
As a rule, prior consent is required for cookies (or similar technologies). This applies, in particular, to the use of cookies in devices such as a computer, smartphone or smart TV.
-
What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?
The consent must be GDPR-compliant (i.a., separate for each communication channel).
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
-
What special requirements, if any, are required for processing sensitive PII? Are there any categories of personal data or PII that are prohibited from collection or disclosure?
The processing of Sensitive Personal Data requires the fulfilment of additional obligations, including in the field of data security (there are further technical and organisational measures to take and, in most cases, a need to carry out a Data Protection Impact Assessment – “DPIA”).
The GDPR requires stronger grounds to process sensitive personal data (compared to “regular” personal data; there is no possibility to rely on the contract or legitimate interest).
-
How do the laws in your jurisdiction address children’s personal data?
Please note the following obligations when handling children’s personal data:
- Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.
- The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.
- If the legal basis for processing is consent, in relation to the offer of information society services directly to a child, the processing of the personal data of a child is lawful where the child is at least 16 years old.
Where the child is below the age of 16 years, such processing is lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
-
How do the laws in your jurisdiction address health data?
According to Article 4 (15) of the GDPR, “data concerning health” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Data concerning health deserves higher protection, as the use of such sensitive data may have significant adverse impacts for data subjects. In the light of this and the relevant jurisprudence of the European Court of Justice the term “data concerning health” must be given a wide interpretation.
-
Do the laws include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
There are many sector-specific legislation that impacts data protection and includes limitations.
The key sectoral legislation in Poland includes (the following list is not exhaustive):
- Provision of Electronic Services Act of 18 July 2002 – regulating areas such as ISS (e-commerce, hosting, etc.);
- National Cybersecurity System Act of 5 July 2018 – regulating, i.a., the required level of network and IT systems security of key service operators and digital service providers (online trading platforms, cloud computing services, Internet search engines). NCS will probably be upgraded to NIS 2 Directive requirements soon;
- Banking Act of 29 August 1997;
- Payment Services Act of 19 August 2011;
- Insurance and Reinsurance Activity Act of 11 September 2015;
- Counteracting Money Laundering and Terrorist Financing Act of 1 March 2018;
- Medical Activities Act of 15 April 2011; and
- Energy Law Act of 10 April 1997.
For specific legal requirements for financial services sector and telecommunications, please see question 30.
-
Does your jurisdiction impose requirements of ‘data protection by design’ or ‘data protection by default’ or similar? If so, please describe the requirement and how businesses typically meet the requirement.
The core obligation is the implementation of appropriate measures and necessary safeguards that provide effective implementation of the data protection principles and, consequentially, data subjects’ rights and freedoms by design and by default (DPbDD).
The GDPR stipulates that controllers should consider DPbDD early on when they plan a new processing operation. Controllers shall implement DPbDD before processing, and also continually at the time of processing, by regularly reviewing the effectiveness of the chosen measures and safeguards. DPbDD also applies to existing systems that are processing personal data.
Although not directly addressed in the GDPR, processors and producers are also recognized as key enablers for DPbDD, they should be aware that controllers are required to only process personal data with systems and technologies that have built-in data protection. When processing on behalf of controllers, or providing solutions to controllers, processors and producers should use their expertise to build trust and guide their customers, including SMEs, in designing /procuring solutions that embed data protection into the processing. This means in turn that the design of products and services should facilitate controllers’ needs.
How to typically meet the requirement
It should be kept in mind when implementing Article 25 that the main design objective is the effective implementation of the principles and protection of the rights of data subjects into the appropriate measures of the processing. In order to facilitate and enhance the adoption of DPbDD, EDPB makes the following recommendations to controllers as well as producers and processors:
- Controllers should think of data protection from the initial stages of planning a processing operation, even before the time of determination of the means of processing;
- Where the controller has a Data Protection Officer (DPO), the EDPB encourages the active involvement of the DPO to integrate DPbDD in the procurement and development procedures, as well as in the whole processing life-cycle;
- A processing operation may be certified. The ability to get a processing operation certified provides an added value to a controller when choosing between different processing software, hardware, services and/or systems from producers or processors;
- Controllers, processors and producers, should consider their obligations to provide children under 18;
- It is recommended for controllers to require that producers and processors demonstrate how their hardware, software, services or systems enable the controller to comply with the requirements to accountability in accordance with DPbDD, for example by using key performance indicators to demonstrate the effectiveness of the measures and safeguards at implementing the principles and rights.
SMEs
Article 25 of the GDPR does not lower the threshold of requirements for SMEs. The following points may facilitate SMEs’ compliance with Article 25:
- Do early risk assessments;
- Start with small processing – then scale its scope and sophistication later;
- Look for producer and processor guarantees of DPbDD, such as certification and
adherence to code of conducts; - Use partners with a good track record;
- Talk with DPAs;
- Read guidance from DPAs and the EDPB;
- Adhere to codes of conduct where available;
- Get professional help and advice.
-
Are owners/controllers or processors of personal data or PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
- Each controller and, where applicable, the controller’s representative, has to maintain a record of processing activities under its responsibility. That record should contain all of the following information:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organization;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures.
- Each processor and, where applicable, the processor’s representative should maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
- the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
- the categories of processing carried out on behalf of each controller;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organization;
- where possible, a general description of the technical and organisational security measures.
- The records should be in writing, including in electronic form.
- Due to the accountability requirement, each organization should also implement additional security documentation, which normally includes at least:
- Data Subject Request Procedure;
- GDPR Awareness Training Policy;
- Personal Data Breach Procedure and Register;
- Privacy and Personal Data Protection Policy;
- Records Retention and Protection Policy;
- Privacy Policy Supplier;
- Personal Data Transfer Principles;
- policy on handling data disclosure requests from public authorities;
- Privacy by design and Privacy by default procedure.
- Each controller and, where applicable, the controller’s representative, has to maintain a record of processing activities under its responsibility. That record should contain all of the following information:
-
Do the laws in your jurisdiction require or recommend having defined data retention and data disposal policies and procedures? If so, please describe these data retention and disposal requirements.
Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
It is good practice (sometimes even an obligation resulting from the accountability requirement) to implement internal data review procedures to determine the maximum storage period.
-
When are you required to, or when is it recommended that you, consult with data privacy regulators in your jurisdiction?
The controller is required to report and consult the supervisory authority when, after conducting a DPIA, it appears that it creates a high risk of violation of rights and freedoms, and the controller cannot implement sufficient measures to reduce such risk to an acceptable level.
-
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
- Operators of essential services are required to conduct periodic cyber risk assessments and management of such risk and perform an audits. Digital service providers are required to take measures allowing for risk management, including monitoring, auditing and testing.
- Such measures may be necessary, under the GDPR, to any company processing personal data.
Where a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons, the controller is required to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
A data protection impact assessment is required in particular in the case of:
- systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences; or
- a systematic monitoring of a publicly accessible area on a large scale.
Please also keep in mind that European supervisory authorities established and made public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment.
The data protection impact assessment should have a documented form, e.g. excel approved internally by the appropriate people from the organization.
-
Do the laws in your jurisdiction require appointment of a data protection officer or a chief information security officer (or other person to be in charge of privacy or data protection at the organization), and what are their legal responsibilities?
Appointment of a CISO
Companies are not required under Applicable Laws to designate a CISO. However, under the NCS (NIS Directive implementation), companies that are operators of essential services are required to form an internal structure to ensure cybersecurity and designate a contact person to maintain contact with other state cybersecurity system elements.
Appointment of a data protection officer
The appointment of a DPO for controllers or processors is only mandatory in some circumstances, including where there is: (i) large-scale regular and systematic monitoring of individuals, e.g. on the Internet (as a core activity); or (ii) large-scale processing of sensitive personal data and personal data relating to criminal convictions and offences (as a core activity).
A DPO should be involved in all issues which relate to the protection of personal data. The GDPR outlines the minimum tasks required by the DPO, which include: (i) monitoring compliance with the GDPR, national legislation and internal policies; (ii) advising on DPIA and the training of staff; and (iii) acting as the authority’s primary contact point.
-
Do the laws in your jurisdiction require or recommend employee training? If so, please describe these training requirements.
Yes, you should make sure that all employees receive appropriate training about your privacy programme, including what its goals are, what it requires people to do and what responsibilities they have. The training must be relevant, accurate and up to date.
Your staff should receive induction and refresher training, regardless of how long they will be working for your organisation, their contractual status or grade. Your staff should receive induction training prior to accessing personal data.
It is recommended to implement training programme that is comprehensive and includes training for all staff on key areas of data protection such as handling requests, data sharing, information security, personal data breaches and records management.
-
Do the laws in your jurisdiction require businesses to provide notice to data subjects of their processing activities? If so, please describe these notice requirements (e.g., posting an online privacy notice).
- Where personal data relating to a data subject are collected from the data subject, the controller has to, at the time when personal data are obtained, provide the data subject with all of the following information:
- the identity and the contact details of the controller and, where applicable, of the controller’s representative;
- the contact details of the data protection officer, where applicable;
- the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
- the recipients or categories of recipients of the personal data, if any;
- where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47 of the GDPR, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
In addition, the controller should, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
- the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
- where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- the right to lodge a complaint with a supervisory authority;
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
- the existence of automated decision-making, including profiling, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- Where personal data have not been obtained from the data subject, the controller should provide the data subject with the following information:
- the identity and the contact details of the controller and, where applicable, of the controller’s representative;
- the contact details of the data protection officer, where applicable;
- the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients of the personal data, if any;
- where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47 of the GDPR, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
In addition, the controller should provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
- the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
- the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
- where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- the right to lodge a complaint with a supervisory authority;
- from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
-
Do the laws in your jurisdiction draw any distinction between the owners/controllers and the processors of personal data, and, if so, what are they? (For example, are obligations placed on processors by operation of law, or do they typically only apply through flow-down contractual requirements from the owners/controller?)
Controller
In principle, there is no limitation as to the type of entity that may assume the role of a controller but in practice it is usually the organisation as such, and not an individual within the organisation (such as the CEO, an employee or a member of the board), that acts as a controller.
A controller is a body that decides certain key elements of the processing. Controllership may be defined by law or may stem from an analysis of the factual elements or circumstances of the case. Certain processing activities can be seen as naturally attached to the role of an entity (an employer to employees, a publisher to subscribers or an association to its members). In many cases, the terms of a contract can help identify the controller, although they are not decisive in all circumstances.
A controller determines the purposes and means of the processing, i.e. the why and how of the processing. The controller must decide on both purposes and means. However, some more practical aspects of implementation (“non-essential means”) can be left to the processor. It is not necessary that the controller actually has access to the data that is being processed to be qualified as a controller.
Processor
A processor is a natural or legal person, public authority, agency or another body, which processes personal data on behalf of the controller. Two basic conditions for qualifying as processor exist: that it is a separate entity in relation to the controller and that it processes personal data on the controller’s behalf.
The processor must not process the data otherwise than according to the controller’s instructions. The controller’s instructions may still leave a certain degree of discretion about how to best serve the controller’s interests, allowing the processor to choose the most suitable technical and organizational means. A processor infringes the GDPR, however, if it goes beyond the controller’s instructions and starts to determine its own purposes and means of the processing. The processor will then be considered a controller in respect of that processing and may be subject to sanctions for going beyond the controller’s instructions.
-
Do the laws in your jurisdiction require minimum contract terms with processors of personal data or PII, or are there any other restrictions relating to the appointment of processors (e.g., due diligence or privacy and security assessments)?
Any processing of personal data by a processor must be governed by a contract or other legal act which shall be in writing, including in electronic form, and be binding. The controller and the processor may choose to negotiate their own contract including all the compulsory elements or to rely, in whole or in part, on standard contractual clauses.
The GDPR lists the elements that have to be set out in the processing agreement. The processing agreement should not, however, merely restate the provisions of the GDPR; rather, it should include more specific, concrete information as to how the requirements will be met and which level of security is required for the personal data processing that is the object of the processing agreement.
-
Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including the use of tracking technologies such as cookies. How are these terms defined, and what restrictions are imposed, if any?
Monitoring (CCTV)
The controller should inform data subjects who could potentially be monitored: (i) that monitoring is used; (ii) what area is covered by it; and (iii) its purpose and other information included in Article 13 GDPR.
Data subjects who remain in the monitored area must be aware that monitoring is carried out. Notices informing of the monitoring installed should be visible and placed permanently, not too far away from the monitored places.
The provisions do not limit the purposes for which CCTV can be used (with the exception of special regulations regarding, i.a., employer monitoring; restrictions introduced by sector-specific legislation, e.g. educational legislation or that which regulates public monitoring applied by local government units, are also possible).
General limitations of the CCTV purposes may result from the principle of proportionality, especially in the case of combining CCTV with other solutions, such as facial recognition.
The controller must also provide a legal basis for the use of CCTV – and although all the grounds under Article 6 GDPR are available, in individual cases it may be difficult to find a suitable one for a specific purpose other than compliance with a legal obligation or resulting from a legitimate interest of the controller (e.g. security of persons or property).
Automated decision-making
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
The above does not apply if the decision:
- is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- is authorised by law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
- is based on the data subject’s explicit consent.
In those cases, the data controller must implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
Profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Profiling is generally allowed without additional consent, unless it is part of automated decision-making.
Cookies
As a rule, prior consent is required for cookies (or similar technologies). This applies, in particular, to the use of cookies in devices such as a computer, smartphone or smart TV.
Provisions allow the use of some cookies to be exempted from the requirement of informed consent. This applies to cookies that meet one of the following criteria:
- the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
- the cookie is strictly necessary to provide an “information society service” requested by the subscriber or user, which means that it must be essential to the fulfilment of their reques
-
Please describe any restrictions on targeted advertising and cross-contextual behavioral advertising. How are these terms or related terms defined?
Advertising network providers are bound by Article 5(3) of the ePrivacy Directive pursuant to which placing cookies or similar devices on users’ terminal equipment or obtaining information through such devices is only allowed with the informed consent of the users.
Because behavioral advertising is based on the use of identifiers that enable the creation of very detailed user profiles which, in most cases, will be deemed personal data, the GDPR is also applicable.
Advertising network providers should comply with the obligations that arise from the GDPR, notably, with respect to rights of access, rectification, erasure, retention, etc.
Given the nature of the practice of behavioral advertising, transparency requirements are a key condition for individuals to be able to consent to the collection and processing of their personal data and exercise effective choice.
-
Please describe any laws in your jurisdiction addressing the sale of personal data. How is “sale” or related terms defined, and what restrictions are imposed, if any?
There is no legal definition of the “sale of personal data”. In practice, however, this applies primarily to cases of making the database available to another entity for marketing purposes.
The purchase of marketing databases must meet the requirements of the GDPR; in particular:
- There must be a legal basis for the transfer of such data. Depending on the case, this may be: a contract – e.g. the appropriate arrangement of a loyalty programme; legitimate interest – recital 47 allows the legitimate interest of the data collector (the list buyer) to be referred to. Mostly, however, this will mean the need to have consent from the data subject.
- The data subject should be informed about such a transfer (in particular, about the source of the data acquisition by the buyer and its scope).
It cannot be ruled out that the purchase of such a database will also have to meet the requirements of the Protection of Databases Act (i.a., the purchase from the relevant entity – “database producer”).
In order for the marketing base to fulfil its economic purpose (enabling the buyer to continue using it for marketing purposes), the buyer should have his/her own legal basis for such activities.
The following best practices are recommended:
- the person receiving the marketing message should know who is sending the message (the information as part of the message), and on whose behalf; and
- marketing activities should be based on a contract that includes a mechanism for transferring rights and obligations from such a contract to a third party.
-
Please describe any laws in your jurisdiction addressing telephone calls, text messaging, email communication or direct marketing. How are these terms defined, and what restrictions are imposed, if any?
Sending commercial information
Sending commercial information (intended directly or indirectly to promote the goods, services or image of the entrepreneur) to a designated recipient by means of electronic communication (via email, SMS, webpush, Messenger, WhatsApp, etc.) requires his/her consent (“opt-in” system).
The consent must be GDPR-compliant (i.a., separate for each communication channel) – consent may be expressed by providing an electronic address (e.g. email).
There are practical doubts concerning the possibility of sending electronic requests for such consent. The courts’ and authorities’ approach is not consistent.
Regardless of these requirements, the phone number, email address, etc. constitute personal data within the meaning of the GDPR. An entity operating in the field of electronic marketing must also provide a legal basis for data processing for this purpose (usually it will be a legitimate interest or contract – e.g. the provision of a newsletter service).
Marketing i.a. by telephone
The use of telecommunications terminal equipment and automated calling systems for direct marketing purposes requires consent (“opt-in” system). The consent must be GDPR-compliant.
This means that telephone contact for marketing purposes also requires the prior approval of the recipient of such activities. This requirement applies to activities targeted at each entity (B2C and B2B, regardless of whether it is a natural or legal person). In the case of natural persons, however, the telephone number will also constitute personal data (regardless of the aforementioned requirements – the telephone marketing entity must also provide a legal basis for data processing for this purpose).
Marketing by post (targeted at a specific entity)
Although such actions do not have to meet additional requirements such as in the case of electronic or telephone marketing, it is necessary to meet the requirements of the GDPR.
This means the need to provide a legal basis for such action (generally, it will be a legitimate interest resulting from the seller–customer relationship). However, it cannot be ruled out that in some cases – especially when there is no such relationship between the controller and the data subject – it will be necessary to have consent in order to conduct marketing by post
-
Please describe any laws in your jurisdiction addressing biometrics such as facial recognition. How are these terms defined, and what restrictions are imposed, if any?
“Biometric data” means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
Biometric data if processing for the purpose of uniquely identifying a natural person (as facial recognition) institutes sensitive personal data, and that means that the processing requires the fulfilment of additional obligations, including in the field of data security (there are further technical and organisational measures to take and, in most cases, a need to carry out a Data Protection Impact Assessment – “DPIA”). Also, the GDPR requires stronger grounds to process sensitive personal data (compared to “regular” personal data; there is no possibility to rely on the contract or legitimate interest).
Employee biometric data
Pursuant to the Polish Labor Code, the processing of an employee’s biometric data is also permissible when providing such data is necessary due to the control of access to particularly important information, the disclosure of which may expose the employer to damage, or access to premises requiring special protection.
-
Is the transfer of personal data or PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism? Does a cross-border transfer of personal data or PII require notification to or authorization from a regulator?)
Restrictions
Data transfers to other jurisdictions that are not within the European Economic Area can only take place if: (i) the transfer is to a territory/country which ensures an adequate level of protection (as specified by the EU Commission, i.a. to Japan and Switzerland); (ii) the business has implemented one of the required safeguards as specified by the GDPR (described below); or (iii) one of the derogations specified in the GDPR applies to the relevant transfer (e.g. data subject consent).
Mechanisms businesses typically utilise to transfer personal data abroad:
For international transfers of personal data (to a country which does not ensure an adequate level of protection), common options are:
- the use of Standard Contractual Clauses (drafted by the EU Commission); and
- for international data transfers within a group of businesses – the implementation of Binding Corporate Rules (“BCRs”) (which, however, require approval from the relevant data protection authority).
Some of the safeguards outlined in the GDPR that legalise international data transfers will require prior approval from the relevant data protection authority, including the establishment of BCRs or a code of conduct (also legalising such data transfer). The time required to obtain such approval depends on the case.
-
What security obligations are imposed on personal data or PII owners/controllers and on processors, if any, in your jurisdiction?
Organisations are required to undertake several activities to monitor, detect, prevent or mitigate incidents.
Under the NCS (NIS Directive implementation), operators of essential services shall implement a security management system for the information system used to provide the essential service that is relevant and proportionate to the estimated risk (having regard to the state of the art) and measures to prevent and minimise the impact of Incidents (examples are provided). Security audit of the information system must be carried out at least every two years. Under the NCS, digital service providers shall also face similar and relevant requirements.
In accordance with the Act on Provision of Electronic Services, the service provider, in general, shall use appropriate cryptographic techniques.
In accordance with the Payment Services Act, the provider, as part of the risk management system, takes risk mitigation measures and implements control mechanisms to manage risk through an effective incident management procedure, including detection and classification of incidents, including those related to ICT systems (e.g. strong user authentication).
In accordance with the GDPR, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (examples are given in Section 32, subsect. 1 of the GDPR).
-
Do the data protection, privacy and cybersecurity laws in your jurisdiction address security breaches, and, if so, how does the law define “security breach”?
Under the GDPR “personal data breach’” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Sectoral laws may provide for a separate definition of a security breach. Please see question 28.
-
Does your jurisdiction impose specific security requirements on certain sectors, industries or technologies (e.g., telecoms, infrastructure, artificial intelligence)?
There are specific legal requirements for:
- Financial services sector: detailed requirements concerning providing security of information in IT systems for providers of financial services are set out in the Recommendations and Instructions of the KNF and specific statutes. In general, the providers are required to take measures to mitigate risk and develop control mechanisms aimed at risk management and security breach risk management.
- Telecommunications sector: companies are required to take technical and organisational measures (providing a level of security appropriate to the risk, regarding the newest technological achievements and expected costs) aimed at providing security and integrity of the network, services and transfer of messages in relation to the provided services.
-
Under what circumstances must a business report security breaches to regulators, to individuals or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator, and what is the typical custom or practice in your jurisdiction?
Depending on the type of organisation, the obligation may differ.
Reporting to authorities
- Operators of essential services, under the NCS, are required to report information related to Incidents to the appropriate Computer Security Incident Response Team (CSIRT) within 24 hours of the Incident being detected. The obligation is triggered when the operator of essential services classifies the Incident as serious. The notification about the Incident should contain basic information on the Incident, reporting person and entity and measures taken.
- Organisations being digital service providers under the NCS have similar obligations.
- Organisations from the financial sector who provide payment services are also required to report certain Incidents related to the payment services and possibly to cybersecurity. Depending on the type of provider, they are required to report to the KNF, or another appropriate authority, operational Incidents, Incidents related to security, Incidents involving an account information service provider (AISP) and a payment initiation service provider (PISP), and annual report on frauds related to payment services. The obligation is usually triggered by the sole occurrence of the Incident.
- Telecommunications entrepreneurs are required to report to the President of the Electronic Communication Authority any breach of security or integrity of the network or services that had a significant effect on the functioning of the network or services, giving information on the breach and any preventive and corrective measures taken. The obligation is triggered by every significant breach.
- Moreover, if the Incident has an effect on personal data processed by any organisation, such organisation is required to report such an Incident to the President of the Personal Data Protection Authority. The controller is responsible for reporting a personal data breach without undue delay (and in any case within 72 hours of becoming aware of the breach – after this term, it needs to be accompanied by reasons for the delay) to the relevant data protection authority, unless the breach is unlikely to result in a risk to the rights and freedoms of the data subject(s).
The notification must include, i.a.: the nature of the data breach, including the categories and number of data subjects concerned, the likely consequences of the breach and the measures taken to address the breach, including attempts to mitigate possible adverse effects.
Reporting to affected individuals or third parties
Under the GDPR, when a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The communication shall describe in clear and plain language the nature of the personal data breach and contain basic information on the Incident specified in the GDPR.
There are situations when communication to the data subject may not be required.
Under the Act on Provision of Electronic Services, the provider is obligated to ensure access by the customer to up-to-date information on special risks related to the use of the electronic service.
Under the Telecommunications Law, when a personal data breach by a provider of publicly available telecommunications services may have adverse effects on the rights of the subscriber or end user who is a natural person, the provider shall immediately notify the breach to the subscriber or the end user with exceptions set out in the Telecommunications Law
The President of the Office of Electronic Communications (UKE) may impose on the telecommunications entrepreneur the obligation to publicly disclose the security or integrity breach of the network or services.
-
Does your jurisdiction have any specific legal requirement or guidance regarding dealing with cybercrime, such as the payment of ransoms in ransomware attacks?
Organisations are permitted to use any of the following measures to protect their IT systems
- Beacons (i.e. imperceptible, remotely hosted graphics inserted into content to trigger a contact with a remote server that will reveal the IP address of a computer that is viewing such content);
- Honeypots (i.e. digital traps designed to trick cyber threat actors into taking action against a synthetic network, thereby allowing an organisation to detect and counteract attempts to attack its network without causing any damage to the organisation’s real network or data);
- Sinkholes (i.e. measures to re-direct malicious traffic away from an organisation’s own IP addresses and servers, commonly used to prevent DDoS attacks).
-
Does your jurisdiction have a separate cybersecurity regulator? If so, please provide details.
The relevant authorities are:
- President of the Personal Data Protection Office (PUODO), https://www.uodo.gov.pl. In some cases of processing with a cross-border element, the competent authority to take action concerning data protection may be the supervisory authority of another EU Member State (acting as the lead supervisory authority);
- Ministers responsible for the relevant sectors – depending on the sector where the given operator of essential services or digital service provider operates, and one central body (Polish Financial Supervision Authority).
- President of the UKE, https://www.uke.gov.pl/.
-
Do the laws in your jurisdiction provide individual data privacy rights such as the right to access and the right to deletion? If so, please provide a general description of the rights, how they are exercised, what exceptions exist and any other relevant details.
The key rights:
- Right of access to data/copies of data
The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.
The data subject has also the right to obtain from a controller information on processing, in particular about: (i) the purposes of the processing; (ii) the categories of data being processed; and (iii) where the data were not collected from the data subject, information as to the source of the data.
The data subject may also request a copy of the personal data being processed. Such copy may take the form of, in particular, a photocopy of the document or a copy of the printout from the IT system (it should therefore be designed to enable such an operation).
- Right to rectification of errors
Controllers must ensure that inaccurate or incomplete data are erased or rectified (the data subject has the right to request such actions).
- Right to deletion/right to be forgotten
Where the controller has made the personal data public and is obliged (pursuant to the above point) to erase the personal data, the controller has to take reasonable steps to inform other controllers that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those data.
- Right to object to processing
Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data where the basis for that processing is either public interest or legitimate interest.
The controller must cease such processing unless it demonstrates compelling legitimate grounds for the processing which overrides the interests, rights and freedoms of the relevant data subject or requires the data in order to establish, exercise or defend legal rights.
If the data subject objects to processing for a direct marketing purpose (including profiling), raising an objection means that the data cannot be further processed for such purpose.
The right to object applies only to data processing on the above legal grounds (public interest or legitimate interest).
- Right to restrict processing
Data subjects have the right to restrict the processing of personal data, which means that the data may only be held by the controller and may only be used for limited purposes. It applies if, i.a.: (i) the accuracy of the data is contested; (ii) the processing is unlawful and the data subject requests restriction (as opposed to exercising the right to erasure); or (iii) verification of overriding grounds is pending, in the context of an objection to processing.
- Right to data portability
The data subject is allowed to receive personal data concerning him or her in a structured, commonly used, machine-readable and interoperable format. Where technically feasible, the data subject has the right to have the personal data transmitted directly from one controller to another (also conducting competitive activity). This does not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible.
The data subject’s right to transmit or to receive data applies only:
- to data provided to a controller by a data subject. The data observed by the controller is also considered to be such – e.g., in the online environment, it could be data regarding the tracked activity of the data subject on the website. Such data does not include data “created” by the controller as a result of profiling (e.g. “the customer is interested in premium products”);
- where the processing of personal data is carried out by automated means (as a consequence, IT systems should be designed to enable the export of data of a specific person); or
- where processing is based on consent or contract. It does not apply where processing is based on other legal grounds.
- Right to withdraw consent
When processing of personal data is based on consent of the data subject, the data subject has a right to withdraw the consent given at any time. In such case, in the absence of the other legal basis for further processing of personal data of the data subject, the controller needs to erase personal data.
Withdrawal of the consent given does not affect the lawfulness of processing based on consent before its withdrawal.
- Right to object to marketing
At any time a data subject may object without cause to the processing for the purposes of direct marketing. Should such objection be submitted, the data controller will not be allowed to process personal data for the data subject for that purpose.
- Right protecting against solely automated decision-making and profiling
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
The above does not apply if the decision:
- is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- is authorised by law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
- is based on the data subject’s explicit consent.
In the cases referred to in points (a) and (c), the data controller must implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
- Right to complain to the relevant data protection authority(ies)
The data subject is entitled to lodge a complaint to the supervisory authority; in Poland it is the President of the Personal Data Protection Office. A detailed description of the complaint procedure is available at: https://uodo.gov.pl/pl/83/155.
- Right to erasure
If the controller does not have the basis for further processing, the data subject has the right to obtain from the controller the erasure of personal data. This applies when (i.a.): the data subject withdraws consent or exercises the right to object, which turns out to be effective.
Where the controller has no basis for further processing, he needs to erase personal data even in the absence of such a request from the data subject.
-
Are individual data privacy rights exercisable through the judicial system or enforced by a regulator or both?
- Every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.
- Each data subject has the right to a an effective judicial remedy where the supervisory authority does not handle a complaint.
- Each data subject has the right to an effective judicial remedy where he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with the GDPR.
-
Does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances?
The action related to civil liability may be brought against an offender (facing punishment and being liable for damages) or a company that failed to provide proper security measures against an Incident (liable for damages).
Action for damages – under Section 415 of the Polish Civil Code, action can be brought to compensate for actual damage (damnum emergens) and cost of opportunity (lucrum cessans). Section 444 of the Polish Civil Code allows for the claim damages to cover all costs related to the injury (e.g. medical care and drugs to treat the injury).
Action for compensation – under Section 445 of the Polish Civil Code, in addition to the claim for damages indicated above, the person who suffered injury may also be compensated for any harm suffered (including, e.g. psychological suffering). Section 448 of the Polish Civil Code refers to compensation to cover harm that resulted from the infringement of personal rights (e.g. damage to reputation).
There is also a possibility to bring a civil claim in criminal cases. Under Section 46 of the Polish Criminal Code, if the court convicts the offender, it may order the offender to partially or fully remedy any damage caused by the offence or compensate for any injury. The criminal court applies civil law provisions. This also applies when an offender commits an Incident-related offence and a person suffers damage or injury (e.g. in case the Incident involved a hospital) due to the offence.
Specific examples of published civil or other private actions
V CSK 141/17 (Supreme Court, 18 January 2018): the bank’s client wanted to access her bank account through the internet. She entered her log-in data but was shown a notice saying the website was under maintenance. Later she discovered that the money she had was gone. It was determined in a separate (criminal) proceeding that a third person acquired her log-in data through phishing. The bank was found liable for not providing effective security measures and thus had to compensate for the damage the client suffered.
VI ACa 509/17 (Appeal Court in Warsaw, 30 August 2018): a third person accessed the bank account of a client of a bank and made several transactions for PLN 137,285 in total. The third person used the client’s log-in data using the same IP address the client used on the same day. The bank used a two-factor authentication to send several messages (containing verification codes) for the client to authorise the transactions. The client claimed that not all of the used codes were used by him. The client was not sure if his computer was properly secured (e.g. if the software was up to date). The court decided that, in this case, the client was negligent in taking security measures while using payment services provided by the bank. The court also pointed out that the bank provided effective security measures and could not be held liable for the loss of the client’s money.
XXV C 2596/19 (District Court in Warsaw, 6 August 2020): in a judgment, the District Court in Warsaw awarded PLN 1,500 compensation from an insurance company, which provided the injured party with too much information about the policy owner.
-
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection, privacy and/or cybersecurity laws? Is actual damage required, or is injury of feelings sufficient?
Any person who has suffered material or non-material damage as a result of an infringement of laws shall have the right to receive compensation for the damage suffered. Please see detailed information above (question 36).
-
How are data protection, privacy and cybersecurity laws enforced?
Various governmental bodies have specific powers. Apart from the police or public prosecutors in criminal proceedings, note that the PUODO, as part of their audit powers, is entitled to access buildings, premises or other spaces, to review documents and information that are directly related to the subject matter of the audit, and carry out inspections of places, objects, equipment, mediums and information systems and ICT systems used to process data.
In accordance with the NCS, a person carrying out inspections of entities that are businesses is entitled to free access to and movement around the premises of the audited entity without the obligation to obtain a security pass to inspect equipment, mediums and information systems.
Similar powers are also held by personnel of the UKE that may also carry out inspections of the audited telecommunications networks and apparatuses.
-
What is the range of sanctions (including fines and penalties) for violation of data protection, privacy and cybersecurity laws?
Violation of data protection – fines of up to EUR 20 million or 4% of the business’ worldwide annual turnover.
Infringements of the provisions concerning personal data connected with cybersecurity issues shall be subject to administrative fines up to EUR 10 million, or in the case of an undertaking, up to 2% of the total global annual turnover of the preceding financial year, whichever is higher.
Penalties stipulated by the NCS may be up to PLN 200,000; however, if through an inspection of the body responsible for cybersecurity, it is found that the operator of essential services or digital service provider persisted in breaching the NCS, a fine of up to PLN 1 million will be imposed.
The body responsible for cybersecurity may also impose a fine on the managers of the operator of essential services (not exceeding 200% of their monthly salary) if they failed to exercise due care to meet specific obligations.
Penalties imposed by the Telecommunications Law may reach up to 3% of the income of the penalised entity generated in the previous calendar year (imposed both by the President of UKE and the PUODO, as applicable).
-
Are there any guidelines or rules published regarding the calculation of fines or thresholds for the imposition of sanctions?
The European Data Protection Board has published the Guidelines 04/2022 on the calculation of administrative fines under the GDPR, version for public consultation (closed 27 June 2022). Work is currently underway to implement the final version of the guidelines.
-
Can personal data or PII owners/controllers appeal to the courts against orders of the regulators?
Each natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
-
Are there any identifiable trends in enforcement activity in your jurisdiction?
Poland fits into broader international trends:
- international data transfers continue to be a significant area of focus;
- children’s personal data continues to be high up on the agenda;
- the cybersecurity of websites.
Increased work can be observed also in the area of new technological solutions using personal data, including:
- reviewing the use of algorithms;
- reviewing the impact the use of AI on minorities, who weren’t part of the testing for this software.
We predict that regulators will focus also on:
- remote working monitoring: the regulators might want to ensure that a fair balance is respected between private life at work and control of workers’ activity;
- cloud services: contractual relations between controllers and sub-processors providing cloud solutions.
-
Are there any proposals for reforming data protection, privacy and/or cybersecurity laws currently under review? Please provide an overview of any proposed changes and how far such proposals are through the legislative process.
EU-US Data Flow Agreement
The Scherms II decision made it more difficult to use US data processors as EU data controllers. That may change in 2023 / 2024.
The European Commission released the Transatlantic Privacy Framework, a draft adequacy decision for safe data flow with the USA, in December 2022.
Even though the US legislation is the main issue for secure data transfers, the US counterparts will have to guarantee judicial protection if the government accesses to the EU data subject’s data.
e-Privacy Regulation (EU’S)
This long-awaited regulation could be implemented in the near future.
As we all know, the decision-making process in the EU is time-consuming, but according to the recent information, the current text of the regulation is supposed to be final (or close to it). Nevertheless, we are unsure whether it will be passed.
Outside of the EU
There is a proliferation of new privacy laws and amendments to existing privacy laws to keep up with. In particular, there are developments to be aware of in several US states and the UK.
Poland: Data Protection & Cybersecurity
This country-specific Q&A provides an overview of Data Protection & Cybersecurity laws and regulations applicable in Poland.
-
Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered by them; what sectors, activities or data do they regulate; and who enforces the relevant laws).
-
Are there any expected changes in the data protection, privacy and cybersecurity landscape in 2023-2024 (e.g., new laws or regulations coming into effect, enforcement of any new laws or regulations, expected regulations or amendments)?
-
Are there any registration or licensing requirements for entities covered by these laws, and, if so, what are the requirements? Are there any exemptions?
-
How do these laws define personal data or personally identifiable information (PII) versus special category or sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
-
What are the principles related to the general processing of personal data or PII. For example, must a covered entity establish a legal basis for processing personal data or PII in your jurisdiction, or must personal data or PII only be kept for a certain period? Please outline any such principles or “fair information practice principles” in detail.
-
Are there any circumstances where consent is required or typically used in connection with the general processing of personal data or PII?
-
What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?
-
What special requirements, if any, are required for processing sensitive PII? Are there any categories of personal data or PII that are prohibited from collection or disclosure?
-
How do the laws in your jurisdiction address children’s personal data?
-
How do the laws in your jurisdiction address health data?
-
Do the laws include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
-
Does your jurisdiction impose requirements of ‘data protection by design’ or ‘data protection by default’ or similar? If so, please describe the requirement and how businesses typically meet the requirement.
-
Are owners/controllers or processors of personal data or PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
-
Do the laws in your jurisdiction require or recommend having defined data retention and data disposal policies and procedures? If so, please describe these data retention and disposal requirements.
-
When are you required to, or when is it recommended that you, consult with data privacy regulators in your jurisdiction?
-
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
-
Do the laws in your jurisdiction require appointment of a data protection officer or a chief information security officer (or other person to be in charge of privacy or data protection at the organization), and what are their legal responsibilities?
-
Do the laws in your jurisdiction require or recommend employee training? If so, please describe these training requirements.
-
Do the laws in your jurisdiction require businesses to provide notice to data subjects of their processing activities? If so, please describe these notice requirements (e.g., posting an online privacy notice).
-
Do the laws in your jurisdiction draw any distinction between the owners/controllers and the processors of personal data, and, if so, what are they? (For example, are obligations placed on processors by operation of law, or do they typically only apply through flow-down contractual requirements from the owners/controller?)
-
Do the laws in your jurisdiction require minimum contract terms with processors of personal data or PII, or are there any other restrictions relating to the appointment of processors (e.g., due diligence or privacy and security assessments)?
-
Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including the use of tracking technologies such as cookies. How are these terms defined, and what restrictions are imposed, if any?
-
Please describe any restrictions on targeted advertising and cross-contextual behavioral advertising. How are these terms or related terms defined?
-
Please describe any laws in your jurisdiction addressing the sale of personal data. How is “sale” or related terms defined, and what restrictions are imposed, if any?
-
Please describe any laws in your jurisdiction addressing telephone calls, text messaging, email communication or direct marketing. How are these terms defined, and what restrictions are imposed, if any?
-
Please describe any laws in your jurisdiction addressing biometrics such as facial recognition. How are these terms defined, and what restrictions are imposed, if any?
-
Is the transfer of personal data or PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism? Does a cross-border transfer of personal data or PII require notification to or authorization from a regulator?)
-
What security obligations are imposed on personal data or PII owners/controllers and on processors, if any, in your jurisdiction?
-
Do the data protection, privacy and cybersecurity laws in your jurisdiction address security breaches, and, if so, how does the law define “security breach”?
-
Does your jurisdiction impose specific security requirements on certain sectors, industries or technologies (e.g., telecoms, infrastructure, artificial intelligence)?
-
Under what circumstances must a business report security breaches to regulators, to individuals or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator, and what is the typical custom or practice in your jurisdiction?
-
Does your jurisdiction have any specific legal requirement or guidance regarding dealing with cybercrime, such as the payment of ransoms in ransomware attacks?
-
Does your jurisdiction have a separate cybersecurity regulator? If so, please provide details.
-
Do the laws in your jurisdiction provide individual data privacy rights such as the right to access and the right to deletion? If so, please provide a general description of the rights, how they are exercised, what exceptions exist and any other relevant details.
-
Are individual data privacy rights exercisable through the judicial system or enforced by a regulator or both?
-
Does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances?
-
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection, privacy and/or cybersecurity laws? Is actual damage required, or is injury of feelings sufficient?
-
How are data protection, privacy and cybersecurity laws enforced?
-
What is the range of sanctions (including fines and penalties) for violation of data protection, privacy and cybersecurity laws?
-
Are there any guidelines or rules published regarding the calculation of fines or thresholds for the imposition of sanctions?
-
Can personal data or PII owners/controllers appeal to the courts against orders of the regulators?
-
Are there any identifiable trends in enforcement activity in your jurisdiction?
-
Are there any proposals for reforming data protection, privacy and/or cybersecurity laws currently under review? Please provide an overview of any proposed changes and how far such proposals are through the legislative process.