The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Last updated March 2020
- Act of 10 May 2018 on the Protection of Personal Data (“PDPA”)
- Act of 21 February 2019 on changes of certain laws ensuring the application of the General Data Protection Regulation (“Introductory Act”). The Act amended over 160 laws, where special attention should be paid to the:
- Act of 18 July 2002 on the provision of services by electronic means
- Act of 16 July 2004 on the Telecommunications Law
- Act of 26 June 1974 – Labour Code
- Act of 4 March 1994 on the Company Social Benefits Fund
- Act of 29 August 1997 – Banking Law
- Act of 19 August 2011 on Payment Services
- Act of 11 September 2015 on Insurance and Reinsurance Activity
- Act of 12 May 2011 on Consumer Credit
- Act of 29 January 2004 - Public Procurement Law
- Act of 6 November 2008 on Patient’s Rights
- Act of 30 May 2014 on Consumer Rights
- Act of 25 February 2016 on Re-use of Public Information
Anticipated changes to law
The most significant changes introduced by the Introductory Act are as follows:
- Marketing activities: obtaining consent for e-mail and telephone marketing communications needs to be in compliance with data protection provisions (i.e. the GDPR). Businesses should thus verify whether their currently used marketing consent forms meet the new requirements;
- Recruitment and employment: the catalogue of personal data that the employer is able to request from an employee or person applying for employment has been modified;
- CCTV / video surveillance: additional restrictions and obligations in relation to CCTV usage (e.g. monitoring that covers areas such as changing rooms, canteens or smoking rooms);
- Company Social Benefits Fund: an obligation to review, at least once per calendar year, the data provided to the employer for the needs of benefits, in order to determine the necessity of their continued storage;
- Profiling and automated decision making: express basis for banks and insurers to use automated processing of personal data (e.g. profiling in order to determine the creditworthiness of a data subject and underwriting);
- New obligations in the financial sector, including the obligation to provide clients with explanations of the grounds of creditworthiness decisions made by banks and to obtain human intervention;
- Informational obligations: applicability of Article 14 of the GDPR has been limited in some instances (e.g. in relation to re-using public information);
- Data subjects’ rights: some other rights (e.g. data access rights) have been limited or excluded (e.g. in relation to fraud prevention);
- Legal basis for the processing of sensitive data: insurance companies have an express legal basis for processing health data of their clients and prospective clients.
If applicable: stage of legislative implementation of GDPR
- The Introductory Act of 21 February 2019 on changes of certain laws ensuring the application of the General Data Protection Regulation entered into force on 4 May 2019
- The PDPA (the main data protection act that sets out procedural issues) entered into force on 25 May 2018
If applicable: local derogations as permitted by GDPR
- Processing and freedom of expression and information (Article 85) – Yes
- Processing and public access to official documents (Article 86) – Yes
- Processing of national identification numbers (Article 87) – Yes
- Processing in the context of employment (Article 88) – Yes
- Safeguards and derogations to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 89) – Yes
- Secrecy obligations (Article 90) – Yes
- Existing data protection rules of churches and religious associations (Article 91) – Yes
In Poland, as in other EU member states, the provisions of the GDPR are directly applicable, which means that they are currently the primary source of rules for processing personal data and rights of individuals.
The PDPA sets out the rules on data protection to an extent not specifically covered by the GDPR, which includes rules concerning certification mechanisms, procedural rules for approving codes of conduct, operation of the data protection regulator (the President of the Office of Personal Data Protection) as well as procedural rules and rules of inspections by the regulator.
The Introductory Act sets out the rules on data protection which supplement GDPR provisions, in relation to e.g. legal basis for the processing of personal data for particular purposes, scope of data subjects’ rights, profiling and automated decision making, processing in the context of employment, etc.
The UODO has enforcement powers towards entities violating the GDPR, PDPA and the legal acts amended by the Introductory Act.
For violations of data protection rules, administrative and, in some circumstances, criminal sanctions may be imposed.
Pursuant to the GDPR and corresponding data protection provisions under Polish law, the UODO may in particular:
- order the controller or the processor to comply with the data subject’s requests to exercise his or her rights;
- order the controller or the processor to bring processing operations into compliance with the GDPR; or
- order that personal data be corrected, deleted or processed in a restricted manner.
The UODO may also impose administrative fines in accordance with the rules laid down by the GDPR.
Pursuant to the PDPA, possible criminal sanctions encompass a fine, restriction of personal liberty or imprisonment of up to 2 years (and in case where sensitive personal data are involved, up to 3 years) and may be imposed in case of:
- unlawful and unauthorised data processing; or
- hindering inspection proceedings conducted by the employees of the Office of Personal Data Protection.
The PDPA does not provide for an obligation to register data sets. Nor does it contain any notification obligations in this respect.
Note: under the GDPR, a controller and processor are obliged to keep a record of processing activities.
Main obligations and processing requirements
The main obligations and processing requirements that a data controller is obliged to comply with are specified in the GDPR. Pursuant to them, a data controller has to:
- have legal grounds for the processing of personal data indicated in the GDPR;
- apply appropriate security measures and meet the technical and organisational requirements;
- fulfil the information obligations;
- respect and exercise the rights of data subjects;
- ensure that the data are accurate and adequate to the purposes for which they are processed.
Breach of the above obligations may result in serious penalties. For instance, the UODO imposed:
- a fine of PLN 2,830,410 (equivalent to EUR 660,000) on a controller for failure to apply appropriate technical and organisational measures to protect confidentiality of personal data (Morele.net case);
- a fine of almost PLN 1 million (equivalent to EUR 220,000) on a controller for failing to fulfil the information obligation under Article 14 of the GDPR (Bisnode case).
Data Subject Rights
Under the GDPR, a data subject has the following rights:
- right to access his/her personal data;
- right to request to have his/her personal data rectified, erased or restricted;
- right to object to the processing of personal data in certain cases e.g. direct marketing;
- right to data portability (i.e. to receive the personal data in a structured, commonly used and machine-readable manner);
- right not to be subject to a decision based solely on automated processing.
Processing by third parties
Under the GDPR, a data controller may entrust the processing of personal data to another entity by concluding a contract or other legal act that is binding on the processor with regard to the controller. The data entrusted for processing may only be processed within the scope and for the purpose indicated in the contract and the processing entity is obliged to ensure technical and organisational measures to safeguard entrusted personal data.
Transfers out of country
Requirements for transfers of personal data outside the EEA are now covered by the GDPR.
The GDPR stipulates that it is not allowed to transfer personal data outside the EEA to a non-adequate country without the necessary safeguards in place (e.g. adequacy decision issued by the European Commission, binding corporate rules, standard data protection clauses adopted by the European Commission or an approved code of conduct).
In the absence of the above safeguards, the transfer of personal data outside the EEA is permitted only in specific situations (e.g. when a data subject explicitly consents to such transfer).
Data Protection Officer
Prior to GDPR applicability, under Polish law, the position of an administrator of information security (“ABI”) existed, whose tasks were similar to the ones laid down by the GDPR for a data protection officer (“DPO”).
The appointment of a DPO is obligatory in cases specified in the GDPR. The DPO’s tasks include ensuring compliance with the provisions of the GDPR as well as the PDPA.
Pursuant to the GDPR, a person may be appointed to the position of DPO if they have relevant knowledge in the field of personal data protection.
The PDPA sets out the procedure for notifying the President of the DPO’s appointment. The PDPA also lays down requirements as to the publication of the DPO’s contact details.
The PDPA does not contain any specific provisions on security requirements that should be met by data controllers or processors. In this respect, appropriate provisions of the GDPR apply. The Introductory Act sets out some additional rules on data security, e.g. in an employment context (written authorisation to process the data) and in relation to providers of publicly available telecommunications services.
Data controllers and processors are obliged to implement technical and organisational measures to ensure protection of the processed personal data, appropriate to the risks. The measures taken may in particular include the pseudonymisation and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as well as the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
Breach notification obligations are specified in the GDPR. These obligations apply directly and include the obligation to notify the supervisory authority (the UODO) and the data subject of a breach.
Some additional data breach notification obligations apply to providers of publicly available telecommunications services.
- postal mail: consent is not necessary, direct marketing of data controller’s own products or services can be based on its legitimate interests, data subject has the right to opt-out
- electronic mail: explicit consent required (opt-in)
- phone: explicit consent required (opt-in)
- Given GDPR requirements apply to consent for e-mail and telephone marketing communications, it is also crucial to implement solutions that will enable data subjects to easily withdraw their consents.
- The above discussed requirements have been confirmed in the decisions recently issued by Polish authorities, i.e.:
- in the Arstele case the President of the Office of Competition and Consumer Protection (UOKIK) imposed a fine of PLN 69,967 (approx. EUR 17,491) and then PLN 10,523 (approx. EUR 2,630) for directing marketing phone calls to consumers without their prior consents; UOKIK stressed that it is insufficient to ask for a consent at the beginning of a phone call;
- in the Koksztys case, the President of the Electronic Communication Office (UKE) imposed a fine of PLN 80,000 (approx. EUR 19,000) for telemarketing without prior, explicit consents; UKE stressed that even though the marketing agency acted on Koksztys behalf, it is not the marketing agency but the ordering party who failed to meet the consent requirements and should be held liable (as marketing activities were aimed at promoting the services of Koksztys). This shows that outsourcing of marketing activities does not release from obligation to obtain consents (regardless internal arrangements made with a marketing agency);
- in the ClickQuickNow case UODO imposed a fine of PLN 201,559.50 PLN (approx. EUR 47,000) for the non-implementation of appropriate technical and organisational measures that would allow contacted persons (contestants) to easily and effectively withdraw their marketing consents.
Last updated March 2020
*immature cyber security regime with no or passive regulator
Laws and regulations
Provisions on cybersecurity are included in numerous pieces of legislation, including:
- Act of 5 July 2018 on the National Cybersecurity System (“Cybersecurity System Act”);
- Act of 26 April 2007 on Emergency Management (“Emergency Management Act”);
- Act of 17 February 2005 on the Implementation of IT Solutions to Entities Providing Public Administration Services (“Implementation of IT Solutions Act”);
- Criminal Code of 6 June 1997 (“Criminal Code”);
- Act of 16 July 2004 – Telecommunications Law (“Telecommunications Law”);
- Act of 24 May 2002 on the Internal Security Agency and Intelligence Agency (“Internal Security Agency and Intelligence Agency Act”); and
- Act of 14 December 2018 on Personal Data Protection processed in relation to the prevention and combating of crime (“Police Act”).
Anticipated changes to law
The NIS Directive has been transposed into Polish law by means of the Cybersecurity System Act, which entered into force on 28 August 2018.
The Cybersecurity System Act is the main piece of legislation dedicated to ensuring cybersecurity on a national level. Prior to its entry into force, cybersecurity-related provisions were spread over a number of acts. These provisions, however, still apply and now complement core regulations contained in the Cybersecurity System Act (see below).
- The Cybersecurity System Act lays down various obligations for operators of essential services (e.g. energy, transport, banking) and, due to their reliance on IT systems, are particularly vulnerable to cyber threats. It also establishes specific cybersecurity-related requirements in respect of digital service providers. It also applies to public authorities (see the “Key obligations” section below for further information).
- The Emergency Management Act sets out obligations for public authorities to secure critical infrastructure (both national and European), i.e. energy supply systems, communications sector, IT systems, transport, finance and continuity of public administration.
- The Implementation of IT Solutions Act (together with executive acts) establishes security requirements for IT systems exploited by entities providing public administration services.
- The Criminal Code sets out crimes concerning the protection of information.
- The Telecommunications Law sets out obligations for providers of publicly available telecommunications services to safeguard the security of telecommunications networks.
- The Internal Security Agency and Intelligence Agency Act sets out the Internal Security Agency’s obligations regarding defence against threats from cyberspace to the structure and security of the state.
- The Police Act sets out the rules for the protection of personal data processed for the purpose of the detection, prevention and investigation of criminal offences.
- Ministers and other authorities competent for strategic sectors (e.g. energy, transport, healthcare, banking) – are obliged to control operators of essential services and digital service providers as to whether they comply with cybersecurity requirements. They have the right to order the removal of breaches and, in specific cases, impose financial penalties.
- Ministry of Digitisation – implementation of tasks related to broadly defined cybersecurity. In particular: the development and implementation of strategic documents and legislation on cybersecurity, national and international cooperation, developing guidelines and standards for the establishment of appropriate means of protecting IT systems, preparing analyses on the status of cybersecurity and cybersecurity risks to the State, and developing centralised plans for training, exercises and tests.
- Other Authorities such as: Government Security Centre, Government Emergency Management Team, Ministry of Internal Affairs and Administration, Internal Security Agency, Electronic Communications Office, Centre for IT Resources as an auxiliary unit of the Ministry of National Defence.
- The Cybersecurity System Act: obligation of operators of essential services to implement a cybersecurity management system, keep up-to-date cybersecurity documentation, manage cybersecurity breaches and report them to the relevant authorities. Similarly, the Act imposes on digital service providers the obligation to adopt proper and proportionate technical and organisational measures for managing risks to which their information systems are exposed. The obligations resulting from the Act are further specified in implementing provisions issued by the Minister of Digitization on 4 December 2019. They set out detailed technical and organisational requirements for (i) providers of cybersecurity services and (ii) internal organisational structures of operators of essential services responsible for cybersecurity. Businesses concerned should note that many of those requirements depends on the result of their risk assessment.
- Emergency Management Act: obligation to adopt measures capable of safeguarding the proper functioning of public telecommunications networks and ensuring security of telecommunications systems.
- Implementation of IT Solutions Act: obligation of public authorities (making use of IT systems for the purposes of providing public administration services) to comply with technical requirements ensuring security of data being processed within those systems.
- Criminal Code: penalization of conduct that breaches security of information (including the disruption of the operation of telecommunications networks).
- Telecommunications Law: obligation of providers of telecommunications services to adopt technical and organizational measures to safeguard the security and integrity of telecommunications networks. Obligation to notify the authorities of breaches of network and service security or integrity, which significantly affected the functioning of the networks or services.
- Internal Security Agency and Intelligence Agency Act: obligation to detect and prevent threats to telecommunications networks which are relevant to national security.
- The Police Act: obligation to protect personal data processed for the purpose of the detection, prevention and investigation of criminal offences.
- Cybersecurity System Act: financial penalties for non-compliance with cybersecurity-related requirements.
- Criminal Code: crimes concerning the protection of information listed in the Criminal Code: hacking, packet sniffing, thwarting access to computer data, computer sabotage, malware distribution and computer fraud, publishing extremist and fascist content.
- Penalties: fine, restriction of liberty or deprivation of liberty.
Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?
Before the Cybersecurity System Act entered into force, three entities responsible for the management of computer security incidents operated on a national level. The Cybersecurity System Act entrusted them with new tasks so that they all became CSIRTs within the scope required by the NIS Directive. Thus, the following CSIRTs were established – CSIRT MON, CSIRT NASK and CSIRT GOV.
In general, they are supposed to monitor cybersecurity incidents, estimate risks as well as inform about the identified cybersecurity threats. More specifically, each CSIRT is obliged to coordinate the management of computer security incidents reported by the entities, which fall within its scope of competence.
Is there a national incident management structure for responding to cyber security incidents?
The CSIRTs indicated in the section above are now responsible for the management of computer security incidents on a national level.
Other cyber security initiatives
- The Cybersecurity System Act provides for the obligation to create a Single Point of Contact ensuring cooperation between Polish authorities responsible for cybersecurity and relevant authorities in other EU member states. The Single Point of Contact operates within the Minister of Digitization.
- The Cybersecurity System Act also provides for the obligation of the Council of Ministers to adopt a Cybersecurity Strategy for Poland (“Cybersecurity Strategy”) – a document setting out strategic goals and appropriate political and regulatory measures aiming at achieving and maintaining a high level of cybersecurity. On 31 October 2019 the Cybersecurity Strategy for 2019-2024 started to apply. It replaced the National Framework for Cybersecurity Policy of Poland for 2017-2022.The main aim of the Cybersecurity Strategy: increasing the level of resistance to cyber threats and the level of information protection in the public, military and private sectors.
Detailed aims of the Cybersecurity Strategy:
- development of a national cybersecurity system,
- increasing the resilience of public administration and private sector information systems and achievement of a capacity to effectively prevent and respond to incidents (to achieve this goal, the National Cyber Security Standards are to be drawn up),
- increasing national capacity in the field of cybersecurity technologies,
- building awareness and social competence in the field of cybersecurity,
- building a strong international position of Poland in the area of cybersecurity.
The Cybersecurity System Act establishes a College for Cybersecurity – an advisory body in matters relating to cybersecurity.