Data protection and cybersecurity laws in Poland

Act of 10 May 2018 on the Protection of Personal Data (“PDPA”)

Act of 21 February 2019 on amending certain laws to ensure the application of the General Data Protection Regulation (“Introductory Act”). The Introductory Act provided sectoral provisions concerning data protection amending over 160 laws, including banking law, payment services act, insurance and labour law.

A number of data protection provisions are contained in other sectoral legislation, such as:

• Act of 12 July 2024 – Electronic Communication Law
• Act of 18 July 2002 on the Provision of Services by Electronic Means
• Act of 26 June 1974 - Labour Code
• Act of 29 August 1997 - Banking Law

President of the Office of Personal Data Protection (“UODO”) (https://uodo.gov.pl/en)

The latest significant amendments to local laws were introduced in 2023 and 2024 (e.g., regarding sobriety tests, remote work and whistleblowing).

Currently, there is legislative work underway on a draft act that would allow employers to verify the authenticity of university diplomas. This legislation is expected to significantly impact the legal framework governing HR background checks in Poland. The proposed change aims to address a legal gap that currently prevents employers from directly confirming diploma authenticity due to data protection restrictions.

Moreover, Poland has officially commenced legislative works on the alignment of Polish law with the EU Data Act (Regulation 2023/2854) – in April 2025 the Ministry of Digitisation has launched public pre-consultations with stakeholders.

Based on the GDPR and corresponding data protection provisions under Polish law, the UODO may impose a number of corrective measures, e.g.:

• order the controller or the processor to comply with the data subject’s requests to exercise his or her rights;
• order the controller or the processor to bring processing operations into compliance with the GDPR; or
• order that personal data be corrected, deleted or processed in a restricted manner.

The UODO may also impose administrative fines in accordance with the rules laid down by the GDPR.

Based on the PDPA, possible criminal sanctions encompass a fine, restriction of personal liberty or imprisonment of up to 2 years (and in a case where sensitive personal data are involved, up to 3 years) and may be imposed in the case of:

• unlawful and unauthorised data processing; or
• hindering or obstructing inspection proceedings conducted by the employees of the UODO; or
• in the course of pending proceedings concerning the imposition of an administrative fine - failing to provide sufficient data necessary to determine the amount of such administrative fine.

Individuals who have suffered damage as a result of unlawful processing may claim compensation from the respective controller or processor under the general rules of the GDPR and Polish civil law.

Under PDPA, there are no local specific registration or notification obligations, except for the requirement to notify the appointment of a DPO/deputy DPO to the UODO.

The main obligations and processing requirements that a data controller is obliged to comply with are specified in the GDPR. Pursuant to them, a data controller has to:

• have legal grounds for the processing of the personal data indicated in the GDPR;
• apply appropriate security measures and meet the technical and organisational requirements;
• fulfil the information obligations;
• respect and exercise the rights of data subjects;
• ensure that the data are accurate and adequate to the purposes for which they are processed.
• a breach of the above obligations can result in serious penalties.

 For instance, the UODO imposed:

• a fine of PLN  18,416,400 (approx. EUR 4,323,250) on a bank for a lack of a sufficient legal basis for data processing, specifically excessively copying (scanning ) identity documents of customers without carrying out individual assessment of the risks associated with the customer concerned and its activities in light of AML regulations;
• a fine of PLN 16,932,657 (approx. EUR 3,955,000) on McDonald’s Polska sp. z o.o. for non-compliance with general data processing principles, in particular insufficient risk analysis of the data processing operations, lack of appropriate safeguards and failure to enforce the data processing agreement with a data processor, which led to the disclosure of personal data in a publicly available catalogue. The processor received a fine of PLN 183 858 (approx. EUR 43,000);
• a fine of PLN 4,911,732 (approx. EUR 1,116,000) on a controller for a failure to apply appropriate technical and organisational measures to ensure personal data security and failing to verify the processor. The processor received a fine of PLN 250,000 (approx. EUR 57,000);
• a fine of PLN 2,830,410 (approx. EUR 663,000) (2019) on a controller for a failure to apply appropriate technical and organisational measures to protect confidentiality of personal data and later of PLN 3,800,000 (approx. EUR 863,000) (2024) also for failure to apply appropriate technical and organisational measures which resulted in data leakage (Morele.net cases).

In addition to the core obligations and requirements resulting from the GDPR, Polish national legislation introduces several country-specific data protection rules. These are particularly important in the context of HR data processing, as Polish labour and social security laws impose specific requirements in this area. 

Under the GDPR, a data subject has the following rights:

• a right to access his/her personal data;
• a right to request to have his/her personal data rectified, erased or restricted;
• a right to object to the processing of personal data in certain cases, e.g. direct marketing;
• a right to data portability (i.e. to receive the personal data in a structured, commonly used and machine-readable manner);
• a right not to be subject to a decision based solely on automated processing.

Certain local laws, however, provide for exceptions or limitations to specific data subjects rights. For instance, the Polish Act of 14 June 2024 on the protection of whistleblowers restricts the right to access information about the source of personal data. Similarly, the Polish Act of 9 March 2023 on clinical trials allows for specific limitations of certain data subject rights during and after clinical trial process. Moreover, the PDPA lays down that in case of activities involving the editing, preparation, creation or publication of press materials according to the Polish Press Law, as well as to statements made in the course of literary or artistic activities most of the data subject rights do not apply.

Under the GDPR, a data controller may entrust the processing of personal data to another entity by concluding a contract or other legal act that is binding on the processor with regard to the controller. The data entrusted for processing may only be processed within the scope and for the purpose indicated in the contract and the processing entity is obliged to ensure technical and organisational measures to safeguard entrusted personal data.

Moreover, in certain cases, Polish law requires data controllers to grant access to personal data only to individuals who hold written authorization to process such data. This requirement is particularly relevant for those handling special categories of employee data on behalf of the employer (e.g. HR staff).

Requirements for transfers of personal data outside the EEA are covered by the GDPR.

The GDPR stipulates that it is not allowed to transfer personal data outside the EEA to a non-adequate country without the necessary safeguards in place (e.g. adequacy decision issued by the European Commission, binding corporate rules, standard data protection clauses adopted by the European Commission or an approved code of conduct).

In the absence of the above safeguards, the transfer of personal data outside the EEA is permitted only in specific situations (e.g. when a data subject explicitly consents to such transfer).

The appointment of a DPO is obligatory in the cases laid down in the GDPR and the PDPA.

The PDPA specifies that public authorities or bodies obliged to designate a DPO are units of the public finance sector, research institutes and National Bank of Poland.

The PDPA sets out also the mandatory procedure for notifying the UODO of the DPO’s (Deputy DPO’s) appointment and lays down requirements as to the publication of the DPO’s contact details.

The PDPA does not contain any specific provisions on the security requirements that should be met by data controllers or processors. However, certain local laws set out some additional rules on data security, e.g. in an employment context (written authorisation to process the special categories of personal data) and in relation to providers of publicly available telecommunications services.

Data controllers and processors are obliged to implement technical and organisational measures to ensure protection of the processed personal data, appropriate to the risks. The measures taken may include in particular the pseudonymisation and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, as well as the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

Breach notification obligations are specified in the GDPR. These obligations apply directly and include the obligation to notify the supervisory authority (the UODO) and – in particular cases – the data subject of a breach.

Some additional data breach notification obligations apply to providers of publicly available telecommunications services.

The UODO has recently published its official updated Guide on Data Breaches, which includes the latest legal interpretations, case law and practical guidance in relation to handling data breaches (available here: https://uodo.gov.pl/en/553/1861). 

The most common direct marketing communication is:

• postal mail: consent is not necessary;
• e- mail: prior explicit consent required for specified communication channel (opt-in);
• phone: prior explicit consent required for specified communication channel (opt-in).

It should be noted that the above consent requirements result from the Electronic Communications Act and relate to the use of automatic calling systems or telecommunication terminal equipment for the purpose of sending commercial information, including direct marketing. Under the Electronic Communications Act the subscriber or end-user can also grant consent by providing an electronic address that identifies them.

The consent to e-mail and phone marketing communications must meet the GDPR requirements, so it is also crucial to implement solutions that will enable data subjects to easily withdraw their consent.

Apart from the abovementioned requirements, it is necessary to establish a relevant GDPR legal basis for processing personal data for direct marketing purposes and comply with transparency requirements.

The above discussed requirements have been confirmed in decisions issued by the Polish authorities, i.e.:

• in the Arstele case, the President of the Office of Competition and Consumer Protection (UOKIK) imposed a fine of PLN 69,967 (approx. EUR 15,900) and then PLN 10,523 (approx. EUR 2,390) for directing marketing phone calls to consumers without their prior consent; the UOKIK stressed that it is insufficient to ask for consent at the beginning of a phone call;
• in the Koksztys case, the President of the Electronic Communication Office (UKE) imposed a fine of PLN 80,000 (approx. EUR 18,200) for telemarketing without prior, explicit consent; the UKE stressed that even though the marketing agency acted on Koksztys’ behalf, it is not the marketing agency but the ordering party who failed to meet the consent requirements and should be held liable (as marketing activities were aimed at promoting the services of Koksztys). This shows that outsourcing marketing activities does not release an entity from the obligation to obtain consent (regardless of internal arrangements made with a marketing agency);
• in the ClickQuickNow case, the UODO imposed a fine of PLN PLN 201,559.50 (approx. EUR 45,800) for the non-implementation of appropriate technical and organisational measures that would allow contacted persons (contestants) to easily and effectively withdraw their marketing consent.

Need to obtain a user’s consent for the storage and use of cookies & adtech, unless cookies are functional cookies. Website operators are prohibited from using pre-checked boxes to obtain consent.

Moderate.

• https://uodo.gov.pl/en

Provisions on cybersecurity are included in numerous pieces of legislation, including:

• The Act of 5 July 2018 on the National Cybersecurity System (“Cybersecurity System Act”);
• The Act of 26 April 2007 on Emergency Management (“Emergency Management Act”);
• The Act of 17 February 2005 on the Implementation of IT Solutions to Entities Providing Public Administration Services (“Implementation of IT Solutions Act”);
• The Criminal Code of 6 June 1997 (“Criminal Code”);
• The Act of 16 July 2004 – Telecommunications Law (“Telecommunications Law”)*;
• The Act of 24 May 2002 on the Internal Security Agency and Intelligence Agency (“Internal Security Agency and Intelligence Agency Act”); and
• The Act of 10 June 2016 on anti-terrorist activities (“Anti-terrorist Act”)
• The Act of 14 December 2018 on Personal Data Protection processed in relation to the prevention and combating of crime (“Police Act”).
• The Act of 25 June 2025 on National Cybersecurity Certification System (“National Cybersecurity Certification Scheme Act”)

*On 10 November 2024, the Act ceased to be in force, except for selected provisions which remain effective until the implementation of the NIS2 Directive.

The NIS Directive was transposed into Polish law by the Cyber Security System Act, which entered into force on 28 August 2018. In 2023 the Cybersecurity System Act implemented the regulations ofthe European Electronic Communications Code (Directive (EU) 2018/1972), and was amended with certain provisions to streamline the system.

Currently, Poland is in the process of implementing the NIS2 Directive (Directive (EU) 2022/2555), with the seventh consolidated draft of the amended Cyber Security System Act published in August 2025. The new law will significantly expand the scope of regulated entities and introduce stricter compliance obligations and sanctions. 

• The Cybersecurity System Act lays down various obligations for operators of essential services (e.g. energy, transport, banking) who, due to their reliance on IT systems, are particularly vulnerable to cyber threats. It also establishes specific cybersecurity-related requirements with regard to digital service providers. This Act also applies to public authorities (see the “Key obligations” section below for further information).
• The Emergency Management Act sets out obligations for public authorities to secure critical infrastructure (both national and European), i.e. energy supply systems, communications sector, IT systems, transport, finance and continuity of public administration.
• The Implementation of IT Solutions Act (together with executive acts) establishes security requirements for IT systems exploited by entities providing public administration services.
• The Criminal Code lists crimes concerning the protection of information.
• The Telecommunications Law sets out obligations for providers of publicly available telecommunications services to safeguard the security of telecommunications networks.
• The Internal Security Agency and Intelligence Agency Act sets out the Internal Security Agency’s obligations regarding defence against threats from cyberspace to the structure and security of the state.
• The Police Act sets out the rules for the protection of personal data processed for the purpose of the detection, prevention and investigation of criminal offences.
• National Cybersecurity Certification Scheme Act establishes a structured framework for cybersecurity certification of ICT products, services, and processes in Poland.

• Ministers and other authorities competent for strategic sectors (e.g. energy, transport, healthcare, banking) are obliged to supervise operators of essential services and digital service providers as to whether they comply with cybersecurity requirements. They have the right to order the removal of breaches and, in specific cases, impose financial penalties.
• Ministry of Digitisation – implementation of tasks related to broadly defined cybersecurity. In particular: the development and implementation of strategic documents and legislation on cybersecurity, national and international cooperation, developing guidelines and standards for the establishment of appropriate means of protecting IT systems, preparing analyses on the status of cybersecurity and cybersecurity risks to the State, and developing centralised plans for training, exercises and tests.
• Other Authorities, such as: Government Security Centre, Government Emergency Management Team, Ministry of Internal Affairs and Administration, Internal Security Agency, Electronic Communications Office, Centre for IT Resources as an auxiliary unit of the Ministry of National Defence.  

• The Cybersecurity System Act: obligation of operators of essential services to implement a cybersecurity management system, keep up-to-date cybersecurity documentation, manage cybersecurity breaches and report them to the relevant authorities. Similarly, the Act imposes the obligation on digital service providers to adopt proper and proportionate technical and organisational measures for managing risks to which their information systems are exposed. The obligations resulting from the Act are further specified in implementing provisions issued by the Minister of Digitisation on 4 December 2019. They set out detailed technical and organisational requirements for (i) providers of cybersecurity services and (ii) internal organisational structures of operators of essential services responsible for cybersecurity. Businesses concerned should note that many of those requirements depend on the result of their risk assessment.  
• Emergency Management Act: obligation to adopt measures capable of safeguarding the proper functioning of public critical infrastructure (including telecommunications networks) and ensuring its security.
• Implementation of IT Solutions Act: obligation of public authorities (making use of IT systems for the purposes of providing public administration services) to comply with technical requirements ensuring security of the data being processed within those systems.
• Criminal Code: penalisation of conduct that breaches security of information (including the disruption of the operation of telecommunications networks).
• Telecommunications Law*: obligation of providers of telecommunications services to adopt technical and organisational measures to safeguard the security and integrity of telecommunications networks. Obligation to notify the authorities of breaches of network and service security or integrity, which significantly affected the functioning of the networks or services.
• Internal Security Agency and Intelligence Agency Act: obligation to detect and prevent threats to telecommunications networks which are relevant to national security.
• The Police Act: obligation to protect personal data processed for the purpose of the detection, prevention and investigation of criminal offences.

*On 10 November 2024, the Act ceased to be in force, except for selected provisions which remain effective until the implementation of the NIS2 Directive. 

• Cybersecurity System Act: financial penalties for non-compliance with cybersecurity-related requirements.
• Criminal Code: crimes concerning the protection of information listed in the Criminal Code: hacking, packet sniffing, thwarting access to computer data, computer sabotage, malware distribution and computer fraud, publishing extremist and fascist content. Depending on the crime, the Criminal Code provides for the following penalties: a fine, restriction of liberty or imprisonment.

Yes.

Before the Cybersecurity System Act entered into force, three entities responsible for the management of computer security incidents operated on a national level. The Cybersecurity System Act entrusted them with new tasks so that they all became CSIRTs within the scope required by the NIS Directive. Thus, the following CSIRTs were established – CSIRT MON, CSIRT NASK, and CSIRT GOV.

In general, they are supposed to monitor cybersecurity incidents, estimate risks, as well as inform about identified cybersecurity threats. More specifically, each CSIRT is obliged to coordinate the management of computer security incidents reported by the entities, which fall within its scope of competence.

The CSIRTs indicated in the section above are now responsible for the management of cybersecurity incidents at the national level.

• The Cybersecurity System Act provides for the obligation to create a Single Point of Contact ensuring cooperation between Polish authorities responsible for cybersecurity and relevant authorities in other EU member states. The Single Point of Contact operates within the Minister of Digitisation.
• The Cybersecurity System Act also provides for the obligation of the Council of Ministers to adopt a Cybersecurity Strategy for Poland (“Cybersecurity Strategy”) – a document setting out strategic goals and appropriate political and regulatory measures aimed at achieving and maintaining a high level of cybersecurity. On 31 October 2019, the Cybersecurity Strategy for 2019-2024 started to apply. It replaced the National Framework for Cybersecurity Policy of Poland for 2017-2022. There are currently works on the draft of the Cybersecurity Strategy for 2025-2029.
• The main aim of the Cybersecurity Strategy: increasing the level of resistance to cyber threats and the level of information protection in the public, military and private sectors.
• Detailed aims of the Cybersecurity Strategy:
  • development of a national cybersecurity system,
  • increasing the resilience of public administration and private sector information systems and achievement of a capacity to effectively prevent and respond to incidents (to achieve this goal, the National Cyber Security Standards are to be drawn up),
  • increasing national capacity in the field of cybersecurity technologies,
  • building awareness and social competence in the field of cybersecurity,
  • building a strong international position of Poland in the area of cybersecurity.

The Cybersecurity System Act establishes a College for Cybersecurity – an advisory body in matters relating to cybersecurity.

• https://isap.sejm.gov.pl/isap.nsf/download.xsp/WDU20180001560/U/D20181560Lj.pdf
• http://isap.sejm.gov.pl/isap.nsf/download.xsp/WDU20190002479/O/D20192479.pdf
• https://www.gov.pl/cyfryzacja/
• https://www.gov.pl/web/cyfryzacja/strategia-cyberbezpieczenstwa-rzeczypospolitej-polskiej-na-lata-2019-2024
• CSIRT GOV
• https://www.gov.pl/web/cyfryzacja/cyberbezpieczenstwo
• https://csirt.gov.pl/cee
• http://csirt-mon.wp.mil.pl/pl/2.html
• https://www.cert.pl/
• https://www.nask.pl/instytut