Data Law Navigator | Poland
Information on Data Protection and Cyber Security laws from CMS experts
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security
Last updated 11 July 2019
- Act of 10 May 2018 on the Protection of Personal Data (“PDPA”)
- Act of 21 February 2019 on changes of certain laws ensuring the application of the General Data Protection Regulation (“Introductory Act”). The Act amended over 160 laws, where special attention should be paid to the:
- Act of 18 July 2002 on the provision of services by electronic means
- Act of 16 July 2004 on the Telecommunications Law
- Act of 26 June 1974 – Labour Code
- Act of 4 March 1994 on the Company Social Benefits Fund
- Act of 29 August 1997 – Banking Law
- Act of 19 August 2011 on Payment Services
- Act of 11 September 2015 on Insurance and Reinsurance Activity
- Act of 12 May 2011 on Consumer Credit
- Act of 29 January 2004 - Public Procurement Law
- Act of 6 November 2008 on Patient’s Rights
- Act of 30 May 2014 on Consumer Rights
- Act of 25 February 2016 on Re-use of Public Information
- President of the Office of Personal Data Protection (“UODO”) (https://uodo.gov.pl/)
Anticipated changes to law
The most significant changes introduced by the Introductory Act are as follows:
- Marketing activities: the obtaining of consent for e-mail and telephone marketing communications needs to be in compliance with data protection provisions (i.e. the GDPR). Businesses should thus verify whether their currently used marketing consent forms meet the new requirements;
- Recruitment and employment: the catalogue of personal data that the employer is able to request from an employee or person applying for employment has been modified;
- CCTV / video surveillance: additional restrictions and obligations in relation to CCTV usage (e.g. monitoring that covers areas such as changing rooms, canteens or smoking rooms);
- Company Social Benefits Fund: an obligation to review, at least once a calendar year, the data provided to the employer for the needs of benefits, in order to determine the necessity of their further storage;
- Profiling and automated decision making: express basis for banks and insurers to use automated processing of personal data (e.g. profiling in order to determine the creditworthiness of a data subject and underwriting);
- New obligations in the financial sector, including the obligation to provide clients with explanations of the grounds of creditworthiness decisions made by banks and to obtain human intervention;
- Informational obligations: applicability of Article 14 of the GDPR has been in some instances limited (e.g. in relation to re-using public information);
- Data subjects’ rights: some other rights (e.g. data access right) have been limited or excluded (e.g. in relation to fraud prevention);
- Legal basis for the processing of sensitive data: insurance companies have an express legal basis for processing health data of their clients and prospective clients.
If applicable: stage of legislative implementation of GDPR
- The Introductory Act of 21 February 2019 on changes of certain laws ensuring the application of the General Data Protection Regulation entered into force on 4 May 2019
- The PDPA (the main data protection act that sets out procedural issues) entered into force on 25 May 2018)
If applicable: local derogations as permitted by GDPR
- Processing and freedom of expression and information (Article 85) – Yes
- Processing and public access to official documents (Article 86) – Yes
- Processing of national identification numbers (Article 87) – Yes
- Processing in the context of employment (Article 88) – Yes
- Safeguards and derogations to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 89) – Yes
- Secrecy obligations (Article 90) – Yes
- Existing data protection rules of churches and religious associations (Article 91) – Yes
In Poland, as in other EU member states, the provisions of the GDPR are directly applicable, which means that they are currently the primary source of rules for processing personal data and rights of individuals.
The PDPA sets out the rules on data protection to an extent not specifically covered by the GDPR, which includes rules concerning certification mechanisms, procedural rules for approving codes of conduct, operation of the data protection regulator (the President of the Office of Personal Data Protection) as well as procedural rules and rules of inspections by the regulator.
The Introductory Act sets out the rules on data protection which supplement GDPR provisions, in relation to e.g. legal basis for the processing of personal data for particular purposes, scope of data subjects’ rights, profiling and automated decision making, processing in the context of employment, etc.
The UODO has enforcement powers towards entities violating the GDPR, PDPA and the legal acts amended by the Introductory Act.
For violations of data protection rules, administrative and, in some circumstances, also criminal sanctions may be imposed.
Pursuant to the GDPR and corresponding data protection provisions under Polish law, the UODO may in particular:
- order the controller or the processor to comply with the data subject’s requests to exercise his or her rights;
- order the controller or the processor to bring processing operations into compliance with the GDPR;
- order that personal data be corrected, deleted or processed in a restricted manner.
The UODO may also impose administrative fines in accordance with the rules laid down by the GDPR.
Pursuant to the PDPA, possible criminal sanctions encompass a fine, restriction of personal liberty or imprisonment of up to 3 years and may be imposed in case of:
- unlawful and unauthorised data processing;
- hindering inspection proceedings conducted by the employees of the Office of Personal Data Protection.
Registration / notification
The PDPA does not provide for an obligation to register data sets. Nor does it contain any notification obligations in this respect.
Note: under the GDPR, a controller and processor are obliged to keep a record of processing activities.
Main obligations and processing requirements
The main obligations and processing requirements that a data controller is obliged to comply with are specified in the GDPR. Pursuant to them, a data controller has to:
- have legal grounds for the processing of personal data indicated in the GDPR;
- apply appropriate security measures and meet the technical and organisational requirements;
- fulfil the information obligations;
- respect and exercise the rights of data subjects;
- ensure that the data are accurate and adequate to the purposes for which they are processed.
Data Subject Rights
Under the GDPR, data subject has the following rights:
- right to access his/her personal data;
- request to have his/her personal data rectified, erased or restricted;
- object to the processing of personal data in certain cases e.g. direct marketing;
- right to data portability (i.e. to receive the personal data in a structured, commonly used and machine readable manner);
- right not to be subject to a decision based solely on automated processing.
Processing by third parties
Under the GDPR, a data controller may entrust the processing of personal data to another entity by concluding a contract or other legal act that is binding on the processor with regard to the controller. The data entrusted for processing may only be processed within the scope and for the purpose indicated in the contract and the processing entity is obliged to ensure technical and organisational measures to safeguard entrusted personal data.
Transfers out of country
Requirements for transfers of personal data outside the EEA are now covered by the GDPR.
The GDPR stipulates that it is not allowed to transfer personal data outside the EEA to a non-adequate country without the necessary safeguards in place (e.g. adequacy decision issued by the European Commission, binding corporate rules, standard data protection clauses adopted by the European Commission or an approved code of conduct).
In the absence of the above safeguards, the transfer of personal data outside the EEA is permitted only in specific situations (e.g. when a data subject explicitly consents to such transfer).
Data Protection Officer
Prior to GDPR applicability, under Polish law, the position of an administrator of information security ("ABI") existed, whose tasks were similar to the ones laid down by the GDPR for a data protection officer (“DPO”).
The appointment of a DPO is obligatory in cases specified in the GDPR. The DPO’s tasks include ensuring compliance with the provisions of the GDPR as well as the PDPA.
Pursuant to the GDPR, a person may be appointed to the position of DPO if they have relevant knowledge in the field of personal data protection.
The PDPA sets out the procedure for notifying the President of the DPO’s appointment. The PDPA also lays down requirements as to the publication of the DPO’s contact details.
The PDPA does not contain any specific provisions on security requirements that should be met by data controllers or processors. In this respect, appropriate provisions of the GDPR apply. The Introductory Act sets out some additional rules on data security, e.g. in an employment context (written authorisation to process the data) and in relation to providers of publicly available telecommunications services.
Data controllers and processors are obliged to ensure technical and organisational measures to ensure protection of the processed personal data, appropriate to the risks. The measures taken may in particular include the pseudonymisation and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as well as the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
Breach notification obligations are specified in the GDPR. These obligations apply directly and include the obligation to notify the supervisory authority (the UODO) and the data subject of a breach.
Some additional data breach notification obligations apply to providers of publicly available telecommunications services.
- regular mail: consent is not necessary, direct marketing of data controller’s own products or services can be based on its legitimate interests, data subject has the right to opt-out
- electronic mail: explicit consent required (opt-in)
- phone: explicit consent required (opt-in)
Last updated 11 July 2019
*immature cyber security regime with no or passive regulator
Laws and regulations
Provisions on cybersecurity are included in numerous pieces of legislation, including:
- Act of 5 July 2018 on the National Cybersecurity System (“Cybersecurity System Act”);
- Act of 26 April 2007 on Emergency Management (“Emergency Management Act”);
- Act of 17 February 2005 on the Implementation of IT Solutions to Entities Providing Public Administration Services (“Implementation of IT Solutions Act”);
- Criminal Code of 6 June 1997 (“Criminal Code”);
- Act of 16 July 2004 – Telecommunications Law (“Telecommunications Law”);
- Act of 24 May 2002 on the Internal Security Agency and Intelligence Agency (“Internal Security Agency and Intelligence Agency Act”);
- Act of 14 December 2018 on Personal Data Protection processed in relation to the prevention and combating of crime (“Police Act”).
Anticipated changes to law
The NIS Directive has been transposed into Polish law by means of the Cybersecurity System Act, which entered into force on 28 August 2018.
The Cybersecurity System Act is the main piece of legislation dedicated to ensuring cybersecurity on a national level. Prior to its entry into force, cybersecurity-related provisions were spread over a number of acts. These provisions, however, still apply and now complement core regulations contained in the Cybersecurity System Act (see below).
- TheCybersecurity System Act lays down various obligations for operators of essential services (e.g. energy, transport, banking) and, due to their reliance on IT systems, are particularly vulnerable to cyber threats. It also establishes specific cybersecurity-related requirements in respect of digital service providers. It also applies to public authorities (see the “Key obligations” section below for further information).
- The Emergency Management Act sets out obligations for public authorities to secure critical infrastructure (both national and European), i.e. energy supply systems, communications sector, IT systems, transport, finance and continuity of public administration.
- The Implementation of IT Solutions Act (together with executive acts) establishes security requirements for IT systems exploited by entities providing public administration services.
- The Criminal Code sets out crimes concerning the protection of information.
- The Telecommunications Law sets out obligations for providers of publicly available telecommunications services to safeguard the security of telecommunications networks.
- The Internal Security Agency and Intelligence Agency Act sets out the Internal Security Agency’s obligations regarding defence against threats from cyberspace to the structure and security of the state.
- The Police Act sets out the rules for the protection of personal data processed for the purpose of the detection, prevention and investigation of criminal offences.
- Ministers and other authorities competent for strategic sectors (e.g. energy, transport, healthcare, banking) – are obliged to control operators of essential services and digital service providers as to whether they comply with cybersecurity requirements. They have the right to order the removal of breaches and, in specific cases, impose financial penalties.
- Ministry of Digitisation – implementation of tasks related to broadly defined cybersecurity. In particular: the development and implementation of strategic documents and legislation on cybersecurity, national and international cooperation, developing guidelines and standards for the establishment of appropriate means of protecting IT systems, preparing analyses on the status of cybersecurity and cybersecurity risks to the State, and developing centralised plans for training, exercises and tests.
- Other Authorities such as: Cybersecurity Plenipotentiary in relevant administration units, Government Security Centre, Government Emergency Management Team, Ministry of Internal Affairs and Administration, Internal Security Agency, Electronic Communications Office, Centre for IT Resources as an auxiliary unit of the Ministry of National Defence.
- The Cybersecurity System Act: obligation of operators of essential services to implement a cybersecurity management system, keep up-to-date cybersecurity documentation, manage cybersecurity breaches and report them to the relevant authorities. Similarly, the Act imposes on digital service providers the obligation to adopt proper and proportionate technical and organisational measures for managing risks to which their information systems are exposed.
- Emergency Management Act: obligation to adopt measures capable of safeguarding the proper functioning of public telecommunications networks and ensuring security of telecommunications systems.
- Implementation of IT Solutions Act: obligation of public authorities (making use of IT systems for the purposes of providing public administration services) to comply with technical requirements ensuring security of data being processed within those systems.
- Criminal Code: penalization of conduct that breaches security of information (including the disruption of the operation of telecommunications networks).
- Telecommunications Law: obligation of providers of telecommunications services to adopt technical and organizational measures to safeguard the security and integrity of telecommunications networks. Obligation to notify the authorities of breaches of network and service security or integrity, which significantly affected the functioning of the networks or services.
- Internal Security Agency and Intelligence Agency Act: obligation to detect and prevent threats to telecommunications networks which are relevant to national security.
- The Police Act: obligation to protect personal data processed for the purpose of the detection, prevention and investigation of criminal offences.
- Cybersecurity System Act: financial penalties for non-compliance with cybersecurity-related requirements.
- Criminal Code: crimes concerning the protection of information listed in the Criminal Code: hacking, packet sniffing, thwarting access to computer data, computer sabotage, malware distribution and computer fraud, publishing extremist and fascist content.
- Penalties: fine, restriction of liberty or deprivation of liberty.
Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?
Before the Cybersecurity System Act entered into force, three entities responsible for the management of computer security incidents operated on a national level. The Cybersecurity System Act entrusted them with new tasks so that they all became CSIRTs within the scope required by the NIS Directive. Thus, the following CSIRTs were established – CSIRT MON, CSIRT NASK and CSIRT GOV.
In general, they are supposed to monitor cybersecurity incidents, estimate risks as well as inform about the identified cybersecurity threats. More specifically, each CSIRT is obliged to coordinate the management of computer security incidents reported by the entities, which fall within its scope of competence.
Is there a national incident management structure for responding to cyber security incidents?
The CSIRTs indicated in the section above are now responsible for the management of computer security incidents on a national level.
Other cyber security initiatives
- The Cybersecurity System Act provides for the obligation to create a Single Point of Contact ensuring cooperation between Polish authorities responsible for cybersecurity and relevant authorities in other EU member states.
- The Cybersecurity System Act also provides for the obligation of the Council of Ministers to adopt a Cybersecurity Strategy for Poland – a document setting out strategic goals and appropriate political and regulatory measures aiming at achieving and maintaining a high level of cybersecurity.
- The Cybersecurity System Act also provides for the obligation to appoint a Government Plenipotentiary for Cybersecurity (responsible for the coordination and implementation of the government’s policy regarding cybersecurity). The Plenipotentiary was appointed on 7 December 2018.
- The Cybersecurity System Act establishes a College for Cybersecurity – an advisory body in matters relating to cybersecurity.
- It is also worth mentioning the National Framework for Cybersecurity Policy of Poland for 2017-2022 (“National Framework”).
The main aim of the National Framework: Ensuring a high level of security for the public and private sectors and citizens in the scope of the provision or use of key services and digital services.
Detailed aims of the National Framework:
- Achieving capability to carry out nationally coordinated actions to prevent, detect, combat and minimise the impact of incidents that compromise the security of IT systems vital to the functioning of the state;
- Enhancing the capability to fight cyber threats;
- Increasing national competencies in the scope of security in cyberspace;
- Building a strong international position for Poland in the field of cybersecurity.