Data Law Nav­ig­at­or | Po­land

In­form­a­tion on Data Pro­tec­tion and Cy­ber Se­cur­ity laws from CMS ex­perts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security

Data Protection

Last updated 8 October 2018

Risk scale


  • Act of 10 May 2018 on the Protection of Personal Data (“PDPA”)

In some respect also:

  • Act of 18 July 2002 on the provision of services by electronic means
  • Act of 16 July 2004 on the Telecommunications Law

Note: An important draft bill is currently in the legislative process – it is aimed to amend chosen acts to ensure the application of the General Data Protection Regulation (“GDPR”) (Introductory Bill – as defined below).


Anticipated changes to law

A number of acts still need to be amended to ensure the application of and comprehensive compliance with the GDPR and the PDPA (Introductory Bill – see below).

If applicable: stage of legislative implementation of GDPR

  • The PDPA (the main data protection act, amended by the GDPR; it entered into force on 25 May 2018; it has also amended over 40 laws).
  • Draft bill of 14 September 2018 amending chosen acts ensuring the application of regulation 2016/679 (“Introductory Bill”) (amending over 170 laws; it is currently being processed by the Government Legislation Centre).

If applicable: local derogations as permitted by GDPR 

  • Processing and freedom of expression and information (Article 85) – Yes
  • Processing and public access to official documents (Article 86) – Yes
  • Processing of national identification numbers (Article 87) – Yes
  • Processing in the context of employment (Article 88) – Yes
  • Safeguards and derogations to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 89) – Yes
  • Obligations of secrecy (Article 90) – Yes
  • Existing data protection rules of churches and religious associations (Article 91) – Yes


In Poland, as in other EU member states, provisions of the GDPR are directly applicable which means that they are currently the primary source of rules for processing personal data and rights of individuals.

The PDPA sets out the rules on data protection to an extent not specifically covered by the GDPR, which includes rules concerning certification mechanisms, procedural rules for approving codes of conduct, operation of the data protection regulator (the President) as well as procedural rules and rules of inspections by the regulator.


The President has enforcement powers towards entities violating the GDPR and the PDPA.

For violations of data protection rules, administrative and, in some circumstances, also criminal sanctions may be imposed.

Administrative sanctions:

Pursuant to the GDPR and corresponding data protection provisions under Polish law, the President may in particular:

  • order the controller or the processor to comply with the data subject’s requests to exercise his or her rights;
  • order the controller or the processor to bring processing operations into compliance with the GDPR;
  • order that personal data be corrected, deleted or processed in a restricted manner.

The President may also impose administrative fines in accordance with the rules laid down by the GDPR.

Criminal sanctions:

Pursuant to the PDPA, possible criminal sanctions encompass a fine, restriction of personal liberty or imprisonment of up to 3 years and may be imposed in case of:

  • unlawful and unauthorised data processing;
  • hindering inspection proceedings conducted by the employees of the Office of Personal Data Protection.

Registration / notification 

The PDPA does not provide for an obligation to register data sets. Nor does it contain any notification obligations in this respect.

Note: under the GDPR, a controller and processor are obliged to keep a record of processing activities.

Main obligations and processing requirements

The main obligations and processing requirements that a data controller is obliged to comply with are specified in the GDPR. Pursuant to them, a data controller has to:

  • have at least one legal ground for the processing of personal data indicated in the GDPR;
  • use appropriate security measures, meet the technical and organisational requirements;
  • fulfil the information obligations;
  • respect and exercise the rights of data subjects;
  • ensure that the data are accurate and adequate to the purposes for which they are processed.

Data Subject Rights

Under the GDPR, data subject has the following rights:

  • right to access his/her personal data;
  • request to have his/her personal data rectified, erased or restricted;
  • object to the processing of personal data in certain cases e.g. direct marketing;
  • right to data portability (i.e. to receive the personal data in a structured, commonly used and machine readable manner);
  • the right not to be the subject to a decision based solely on automated processing.

Processing by third parties

Under the GDPR, a data controller may entrust the processing of personal data to another entity by concluding a contract or other legal act that is binding on the processor with regard to the controller. The data entrusted for processing may only be processed within the scope and for the purpose indicated in the contract and the processing entity is obliged to ensure technical and organisational measures to safeguard entrusted personal data.

Transfers out of country

Requirements for the transfers of personal data outside the EEA are now covered by the GDPR.

The GDPR stipulates that it is not allowed to transfer personal data outside the EEA to a non-adequate country without the necessary safeguards in place (e.g. adequacy decision issued by the European Commission, binding corporate rules, standard data protection clauses adopted by the European Commission or an approved code of conduct).

In the absence of the above safeguards, the transfer of personal data outside the EEA is permitted only in specific situations (e.g. when a data subject explicitly consents to such transfer).

Data Protection Officer

Prior the GDPR applicability, under Polish law, the position of an administrator of information security (ABI) existed, whose tasks were similar to the ones laid down by the GDPR for a data protection officer (“DPO”).

The appointment of a DPO is obligatory in cases specified in the GDPR. The DPO’s tasks include ensuring compliance with the provisions of the GDPR as well as the PDPA.

Pursuant to the GDPR, a person may be appointed to the position of DPO if they have relevant knowledge in the field of personal data protection.

The PDPA sets out the procedure for notifying the President of the DPO’s appointment. The PDPA also lays down requirements as to the publication of the DPO’s contact details.


The PDPA does not contain any specific provisions on security requirements that should be met by data controllers or processors. In this respect, appropriate provisions of the GDPR apply.

Data controllers and processors are obliged to ensure technical and organisational measures to ensure protection of the personal data processed, appropriate to the risks. The measures taken may in particular include the pseudonymisation and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as well as the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

Breach notification

Breach notification obligations are specified in the GDPR. These obligations apply directly and include both the notification of a breach to the supervisory authority (the President) and to the data subject.

In addition, under Polish law, a provider of publicly available telecommunications services is specifically obliged to notify the President of the Office of Personal Data Protection of any personal data breach without delay, no later than within 3 days of the breach has been identified.

Direct Marketing

  • regular mail: consent is not necessary, direct marketing of data controller’s own products or services can be based on its legitimate interests, data subject has the right to opt-out
  • electronic mail: explicit consent required (opt-in)
  • phone: explicit consent required (opt-in)


Need to obtain user’s consent for the storage and use of cookies, unless cookies are functional cookies.

Useful links


Cyber Security

Last updated 8 October 2018

Risk scale

*immature cyber security regime with no or passive regulator

Laws and regulations

Provisions on cybersecurity are included in numerous pieces of legislation:

  • Act of 5 July 2018 on the National Cybersecurity System (“Cybersecurity System Act”);
  • Act of 26 April 2007 on the Emergency Management (“Emergency Management Act”);
  • Act of 17 February 2005 on the Implementation of IT Solutions to Entities Providing Public Administration Services (“Implementation of IT Solutions Act”);
  • Criminal Code of 6 June 1997 (“Criminal Code”);
  • Act of 16 July 2004 – Telecommunications Law (“Telecommunications Law”);
  • Act of 24 May 2002 on the Internal Security Agency and Intelligence Agency (“Internal Security Agency and Intelligence Agency Act”).

Anticipated changes to law

The NIS Directive has been transposed into Polish law by means of the Cybersecurity System Act, which entered into force on 28 August 2018.

The Cybersecurity System Act is the main piece of legislation dedicated to ensuring cybersecurity on a national level. Prior to its entry into force, cybersecurity-related provisions were spread over a number of acts. These provisions, however, still apply and now complement core regulations contained in the Cybersecurity System Act (see below).


  • The Cybersecurity System Act lays down various obligations for operators of essential services (e.g. energy, transport, banking) and, due to their reliance on IT systems, are particularly vulnerable to cyber threats. It also establishes specific cybersecurity-related requirements in respect of digital service providers. It also applies to public authorities (see the “Key obligations” section below for further information).
  • The Emergency Management Act sets out obligations for public authorities to secure critical infrastructure (both national and European), i.e. energy supply systems, communications sector, IT systems, transport, finance and continuity of public administration.
  • The Implementation of IT Solutions Act (together with executive acts) establishes security requirements for IT systems exploited by entities providing public administration services.
  • The Criminal Code sets out crimes concerning the protection of information.
  • The Telecommunications Law sets out obligations for providers of publicly available telecommunications services to safeguard the security of telecommunications networks.
  • The Internal Security Agency and Intelligence Agency Act sets out the Internal Security Agency’s obligations regarding defence against threats from cyberspace to the structure and security of the state.


  • Ministers and other authorities competent for strategic sectors (e.g. energy, transport, healthcare, banking) – they are obliged to control operators of essential services and digital service providers as to whether they comply with cybersecurity requirements. They have the right to order the removal of a breach and, in specific cases, impose financial penalties.
  • Ministry of Digitisation – realisation of tasks related to broadly defined cybersecurity. In particular: the development and implementation of strategic documents and legislation on cybersecurity, national and international cooperation, developing guidelines and standards for the establishment of appropriate means of protecting IT systems, preparing analyses on the status of cybersecurity and cybersecurity risks to the State, and developing centralised plans for training, exercises and tests.
  • Other Authorities such as: Cybersecurity Plenipotentiary in relevant administration units,  Government Security Centre, Government Emergency Management Team, Ministry of Internal Affairs and Administration, Internal Security Agency, Electronic Communications Office, Centre for IT Resources as an auxiliary unit of the Ministry of National Defence. 

Key obligations

  • The Cybersecurity System Act: obligation of operators of essential services to implement a cybersecurity management system, keep up-to-date cybersecurity documentation, manage cybersecurity breaches and report them to the relevant authorities. Similarly, the Act imposes on digital service providers the obligation to adopt proper and proportionate technical and organisational measures for managing risks to which their information systems are exposed.
  • Emergency Management Act: obligation to adopt measures capable of safeguarding the proper functioning of public telecommunications networks and ensuring security of telecommunications systems.
  • Implementation of IT Solutions Act: obligation of public authorities (making use of IT systems for the purposes of providing public administration services) to comply with technical requirements ensuring security of data being processed within those systems.
  • Criminal Code: penalization of conduct that breaches security of information (including the disruption of the operation of telecommunications networks).
  • Telecommunications Law: obligation of providers of telecommunications services to adopt technical and organizational measures to safeguard security and integrity of telecommunications networks. Obligation to notify the President of the Office of Electronic Communications of breaches of network and service security or integrity, which significantly affected the functioning of the networks or services.
  • Internal Security Agency and Intelligence Agency Act: obligation to detect and prevent threats to telecommunications networks which are relevant to national security.


  • Cybersecurity System Act: financial penalties for non-compliance with cybersecurity-related requirements.
  • Criminal Code: crimes concerning the protection of information listed in the Criminal Code: hacking, packet sniffing, thwarting access to computer data, computer sabotage, malware distribution and computer fraud, publishing extremist and fascist content.
  • Penalties: fine, restriction of liberty or deprivation of liberty.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

Prior to the Cybersecurity System Act entered into force, three entities responsible for the management of computer security incidents operated on a national level. The Cybersecurity System Act entrusted them with new tasks so that they all became CSIRTs within the scope required by the NIS Directive. Thus, the following CSIRTs were established – CSIRT MON, CSIRT NASK and CSIRT GOV.

In general, they are supposed to monitor cybersecurity incidents, estimate risks as well as inform about the identified cybersecurity threats. More specifically, each CSIRT is obliged to coordinate the management of computer security incidents reported by the entities, which fall within its scope of competence.

Is there a national incident management structure for responding to cyber security incidents?

The CSIRTs indicated in the section above are now responsible for the management of computer security incidents on a national level.

Other cyber security initiatives

  • The Cybersecurity System Act provides for the obligation to create a Single Point of Contact ensuring cooperation between Polish authorities responsible for cybersecurity and relevant authorities in other EU member states.
  • The Cybersecurity System Act also provides for the obligation of the Council of Ministers to adopt a Cybersecurity Strategy for Poland – a document setting out strategic goals and appropriate political and regulatory measures aiming at achieving and maintaining high level of cybersecurity. The document in question has to be adopted by 31 October 2019.
  • The Cybersecurity System Act also provides for the obligation to appoint a Government Plenipotentiary for Cybersecurity (responsible for the coordination and implementation of the government’s policy regarding cybersecurity). The Plenipotentiary has to be appointed by 28 November 2018.
  • The Cybersecurity System Act establishes a College for Cybersecurity – an advisory body in matters relating to cybersecurity.
  • It is also worth mention about the National Framework for Cybersecurity Policy of Poland for 2017-2022 (“National Framework”).
    Main aim of National Framework: Ensuring a high level of security for the public and private sectors and citizens in the scope of provision or use of key services and digital services.
    Detailed aims of National Framework:
    • Achieving capability to carry out nationally coordinated actions to prevent, detect, combat and minimise the impact of incidents that compromise the security of IT systems vital to the functioning of the state;
    • Enhancing the capability to fight cyber threats;
    • Increasing national competencies in the scope of security in cyberspace;
    • Building a strong international position for Poland in the field of cybersecurity.

Useful links


< back to Overview


Picture of Tomasz Koryzma
Tomasz Koryzma