Poland
In this chapter:
Q1/ Applicable legislation
(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?
New legislation has been passed replacing the main pre-GDPR legislation whilst legislation which includes limited provisions relating to processing personal data has been updated.
———
(b) Relevant legislation includes:
- Act of 10 May 2018 on the Protection of Personal Data
(the “Data Protection Act”)- Date in force: 25 May 2018
- Link: In Polish:
see here
- Act of 21 February 2019 on the amendments of
some legal acts in connection with the implementation
of the GDPR- Date in force: 4 May 2019
- Link: In Polish:
see here
———
(c) What is the status of national pre-GDPR data protection law?
The main pre-GDPR has been repealed in full whilst other pre-GDPR legislation has been revised.
Q2/ Personal data of deceased persons
Does national law make specific rules regarding the processing of personal data of deceased persons?
There are no specific rules governing this issue.
Q3/ Legal bases for processing
(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?
There are no specific rules governing this issue.
———
(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?
Personal data may be processed for the purposes of detecting and preventing crime, in the public interest, by:
- banks, lending institutions and other indicated entities; and
- insurance companies (only in case of suspected offences against the insurance companies and for the purpose of preventing that offence).
———
(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?
There are no specific rules governing this issue.
———
(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?
There are no specific additional criteria governing this issue.
Q4/ Consent of children
At what age can a child give their consent to processing in relation to ISS?
16 years of age.
Q5/ Processing of sensitive personal data
(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?
All sensitive personal data can be processed if the data subject's valid consent has been obtained.
———
b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:
(i) Employment, social security and/or social protection law
See Q20(b) below.
(ii) Substantial public interest
The following rules apply to the processing this category of data:
- representatives of the Supreme Chamber of Control are permitted to process personal data, excluding data revealing political views, religious or philosophical beliefs, genetic data, data regarding addictions, sex life and sexual orientation. Such processing must be carried out for the purpose of establishing facts regarding the activities of the entities under control, documenting those facts and assessing controlled activities;
- the Ombudsman is authorised to process sensitive personal data only for the purpose of protection of rights and freedoms of a person, in the course of the performance of its legal tasks; and
- the State Fire Service is authorised to process personal data, including sensitive personal data, for the purpose of recruitment.
(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services
Public entities mandated with the protection of patients’ rights may process sensitive personal data only for the purpose of protection of patients’ rights in the course of performing specified legal tasks.
(iv) Public interest in the area of public health
There are no specific rules on processing this category of data.
(v) Archiving purposes, scientific or historical research purposes or statistical purposes
Academic institutions and certain education institutions may process sensitive personal data provided that the published results do not permit the identification of any data subject. Additional safeguards must be implemented in the course of such processing, including the requirement to anonymise personal data as soon as the relevant aims of the processing activity are achieved. Prior to any anonymisation, personal data which may be used to identify data subjects must be kept in separate data sets. Such data sets may only be combined if it is necessary for the purpose of scientific research.
———
(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?
The Polish National Bank may process the following categories of personal data from persons providing services to the Polish National Bank or transporting assets with monetary value: biometric data relating to fingerprints, voice, hands and veins of fingers or hands. The biometric data may be processed as long as the abovementioned services are performed. This may only be done if it is necessary for maintaining safety in connection to access to information or premises of the Polish National Bank.
Q6/ Data relating to criminal offences or convictions
Under what conditions does national law permit the processing of personal data relating to criminal convictions?
The following rules apply to the processing of this category of data:
- the Ombudsman may process personal data relating to criminal convictions and offences for the purpose of protection of rights and freedoms of a person, in the course of performance of its legal tasks;
- the State Fire Service is authorised to process personal data, including data relating to criminal convictions and offences, for the purpose of recruitment to the State Fire Service, including following the end of the period of service of firefighters;
- in the context of public procurement, processing of personal data relating to criminal convictions and offences may only be performed by persons who have written authorisations and are obliged to maintain secrecy; and
- personal data, which may also include data relating to criminal convictions and offences, collected in rescue related registers are subject to the following safeguards:
- processing personal data is only permitted under a written authorisation; and
- authorised persons are obliged to maintain secrecy.
Q7/ Exemptions
(a) Does national law specify exemptions to a data subject’s right to erasure?
There are no specific exemptions to the right to erasure.
———
(b) Does national law specify exemptions to a data subject’s right to be provided information under Art. 14 GDPR where the personal data has not been obtained from the data subject?
There are no specific exemptions to the right to be provided information.
———
(c) Does national law specify exemptions to a data subject’s right to not be subject to a decision based solely on automated processing, including profiling?
The following exemptions apply to a data subject’s right to not be subject to a decision based solely on automated processing, including profiling:
- banks, lending institutions and other indicated entities may, for the purpose of creditworthiness assessment and credit risk analysis, make decisions based solely on automated processing, including profiling, of personal data (including data which constitutes a banking secret but excluding sensitive personal data), provided that the person whom the automated decision concerns is informed of: the grounds on which the relevant decision was reached, the right to obtain human intervention in order to obtain another decision and the right to express his or her own position. Such a decision may be based only on personal data necessary for the purpose and type of credit; and
- insurance companies may, for the purpose of assessment of insurance risk or performing other indicated insurance activities, make decisions in individual cases, based solely on the automated processing of personal data, including profiling, provided that the person whom the automated decision concerns is informed of: the grounds on which the relevant decision was reached, the right to obtain human intervention in order to obtain another decision and the right to express his or her position. Such a decision may be based only on the personal data specified in the legal provision.
Q8/ Restrictions on data subjects’ rights
Aside from the exemptions noted in Q7, does national law contain any other restrictions on the rights of data subjects under Chapter III GDPR?
For example, the following restrictions apply to the rights of data subjects:
- Arts. 12-16 & 18-20 GDPR are not applicable to the processing of personal data in the course of activities relating to the performance of the prosecutor’s tasks, i.e., prosecuting offences and protecting the rule of law;
- Arts. 15(1)-(3), 18-19 GDPR are applicable to advocates, legal advisors, tax advisors, notary publics and sworn translators only to the extent that the exercise of such rights does not infringe relevant obligations of professional secrecy;
- Art. 21(1) GDPR is not applicable to the
- processing of personal data of a debtor by a business information office in connection to providing economic information, or
- processing of personal data of a debtor by a creditor in connection with providing business information to a business information office;
- providers of payment services, payment organisations and entities maintaining payment systems are not obliged to perform obligations stipulated in Art. 15 GDPR to the extent it is necessary to properly perform tasks aimed at counteracting money laundering and terrorist financing and preventing crimes; and
- personal data, which may include sensitive personal data, collected in rescue related registers are subject to the following safeguards:
- processing personal data is only permitted under a written authorisation; and
- authorised persons are obliged to maintain secrecy.
Q9/ Joint controllership
Does national law provide rules or guidance on the apportionment of responsibility between joint controllers?
There are no additional rules on apportionment of liability between joint controllers.
Q10/ Processor
In addition to the contract between controller and processor, are there any pieces of legislation which govern processing by a processor?
There are no additional pieces of legislation.
Q11/ Impact Assessments
Are there any circumstances in which national law requires an Impact Assessment to be carried out, where the GDPR would not otherwise require such an assessment?
Impact Assessments are only required in accordance with the provisions of the GDPR.
Q12/ Prior authorisation and public interest
Are there any circumstances in which national law requires controllers to consult with, or obtain prior authorisation from, the DPA in relation to processing for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health)?
Prior authorisation from the DPA is only required in accordance with the provisions of the GDPR.
Q13/ DPOs
(a) Does national law require controllers to appoint a DPO in circumstances other than those in Art. 37(1) GDPR?
DPOs are only mandatory in the circumstances set out in Art. 37(1) GDPR.
———
(b) Does national law impose secrecy and confidentiality obligations on DPOs and if so, in what circumstances do they apply?
DPOs are not subject to secrecy obligations under national law.
Q14/ International data transfers
(a) Does national law make specific rules about transfers of personal data from public registers?
Data transfers from public registers are not subject to specific rules.
———
(b) Does national law restrict the transfer of specific categories of personal data to third countries?
Data transfers are not subject to restrictions beyond those set out in the GDPR.
Q15/ DPAs
(a) Details of the DPA(s).
- Name of DPA: Urząd Ochrony Danych Osobowych
(Personal Data Protection Office)- Address: ul. Stawki 2, 00-193 Warsaw, Poland
- Website: uodo.gov.pl
———
(b) If more than one national DPA has been established, what is the rationale behind multiple DPAs?
Not applicable as there is only one DPA.
———
(c) How does national law ensure consistent application of the GDPR by the various DPAs in accordance with Art. 63 GDPR?
Not applicable.
———
(d) Does national law grant the relevant DPA additional powers beyond those set out in Art. 58 GDPR?
The DPA has the following additional powers:
- any draft laws relating to data protection must be presented to the DPA for its opinion. The DPA is also permitted to request the relevant authorities to initiate the legislation process regarding matters relating to data protection;
- the DPA is authorised to demand that the party to proceedings conducted by the DPA provide Polish translation of foreign-language documents requested from that party in the course of the proceedings. Costs of translation are to be borne by the party;
- in the course of proceedings conducted by DPA, the DPA is authorised to interview employees of the controller; and
- if it is justified by the public interest, the DPA may publish its decisions in the Public Information Bulletin.
———
(e) What national appeals process exists to enable parties to challenge the decisions of the DPA?
A decision of the DPA may be appealed to the lower administrative court. Most decisions of the lower administrative court may subsequently be appealed to the higher administrative court. Filing an appeal to the administrative court suspends the execution of a fine imposed by the DPA.
———
(f) Have specific national rules been adopted regarding the DPA’s power to obtain information from controllers or processors that are subject to obligations of professional secrecy (or equivalent)?
In general, the DPA is authorised to access information and documents subject to obligations of secrecy unless relevant laws provide otherwise.
A party to proceedings conducted by the DPA may indicate which documents (or parts thereof) include trade secrets. In that case, the party is obliged to provide the DPA with redacted versions of the relevant documents. The DPA may request full versions of the documents if it considers that the documents do not, in fact, include trade secrets. Upon request of the relevant party, the DPA must restrict access by other parties to the documents containing trade secrets or other protected secrets.
The obligations of professional secrecy of advocates, legal advisors, tax advisors, notary publics, sworn translators, State Solicitor’s Office members and professional auditors cannot be waived.
Q16/ Claims by not-for-profit bodies
Does national law specify any not-for-profit bodies that are entitled to bring claims on behalf of individuals without the specific mandate of those individuals?
There are no not-for-profit bodies that are specifically mandated to bring such claims.
Q17/ Administrative fines, penalties and sanctions
(a) Does national law lay down rules on whether and to what extent administrative fines may be imposed on public authorities for breaches of the GDPR?
The DPA is authorised to impose a fine of up to PLN 100,000 (approx. €23,200) on the following public authorities for breaches of the GDPR:
- selected financial sector units (i.e., public authorities, including government administration bodies, state control bodies, courts and tribunals, local government units and their associations, metropolitan unions, budgetary units, local budgetary establishments, executive agencies, budget economy institutions, state funds, Social Insurance Institution and funds managed by it, Agricultural Social Insurance Fund and funds managed by its president, National Health Fund, independent public healthcare institutions, public universities, Polish Academy of Sciences and organisational units created by it, other state or local government legal entities established on the basis of separate acts in order to perform public tasks, excluding enterprises, research institutes, banks and commercial law companies);
- research institutes; and
- the Polish National Bank.
Further, the DPA is authorised to impose a fine of up to PLN 10,000 (approx. €2,300) on state and local cultural institutions.
Public authorities which are subject to a decision issued by the DPA must publish (on their websites or in the Public Information Bulletin) information about their remediation actions in respect of the DPA’s decision.
———
(b) Does national law impose penalties/sanctions in addition to those set out in the GDPR, for breaches of the GDPR not subject to administrative fines (e.g., criminal penalties)?
An entity which processes personal data unlawfully or despite not being authorised to process such personal data is liable to a fine, restriction of personal liberty or imprisonment for up to two years.
If the breach concerns sensitive personal data, the perpetrator is liable to a fine, restriction of personal liberty or imprisonment for up to three years.
Whoever prevents an inspector from carrying out a compliance inspection in respect of personal data protection provisions or makes it difficult for an inspector to carry out such an inspection is liable to a fine, restriction of personal liberty or imprisonment for up to two years.
Q18/ Freedom of expression and information
(a) What (if anything) does national law do to balance the provisions of the GDPR against the right to freedom of expression and information?
There are no specific provisions governing this issue.
———
(b) What derogations have been introduced by national law concerning the processing of personal data for the purpose of academic, artistic or literary expression?
The following GDPR provisions are not applicable to processing of personal data for the purpose of artistic or literary expression and to creating and publishing press materials: Arts. 5-9, 11, 13-16, 18-22, 27, 28(2)-(10) & 30.
The following GDPR provisions are not applicable to processing of personal data for the purpose of academic expression: Arts. 13, 15(3), 15(4), 18, 27, 28(2)-(10) & 30.
Q19/ National identification numbers
Does national law stipulate specific conditions for the processing of a national identification number, and if so, what are the conditions?
There are no specific provisions governing this issue.
Q20/ Processing in the context of employment
(a) For what purposes can employees’ personal data in the employment context be processed under national law?
The following rules apply to the processing of employee data:
- CCTV: An employer may process data acquired through monitoring systems only for the purpose of ensuring safety of employees or protection of property, or production control, or confidentiality of information where disclosure might damage the employer’s interests. An employer may process CCTV only for the purposes for which they were collected and store them for a period not exceeding three months from the date of recording. Where video recordings constitute evidence in proceedings conducted under law or where the employer has learnt that they may constitute evidence in proceedings, the above period is to be extended until the proceedings have been finally closed;
- Email monitoring: An employer is permitted to process data acquired through email monitoring systems (or other monitoring systems) only for the purpose of ensuring the proper functioning of an organisation, including the full use of the working time and the proper use of the work tools made available to the employee; and
- Biometric data: If it is necessary to ensure the safety of critical infrastructure and its premises, operators of critical infrastructure may process the following biometric data from employees: fingerprints, voice, image of the cornea or network of finger veins.
———
(b) Does national law provide safeguards for employees’ dignity, legitimate interests, and fundamental rights?
The following safeguards apply in order to protect employees’ dignity, legitimate interests and fundamental rights:
- CCTV must not be used to monitor rooms made available to trade unions. It must not be used to monitor sanitary rooms, locker rooms, canteens and smoking areas, unless the use of monitoring in those rooms is necessary to fulfil the objectives specified in Q20(a) above and does not violate the dignity and other personal rights of employees, in particular, by the use of techniques that make it impossible to identify persons present in those rooms. The monitoring of sanitary rooms requires prior consent from the entity’s trade union, or if there is no trade union, the consent of employees;
- the objectives, the scope and the manner of use of monitoring systems (CCTV, email monitoring and other monitoring systems) should be established in a collective labour agreement or in the work regulations, or in an announcement if the employer is not covered by a collective labour agreement or is not obliged to adopt work regulations. An employer must notify employees of the introduction of monitoring no later than two weeks before starting the monitoring. Before permitting an employee to perform their work duties, an employer must provide them with the above information in writing; When monitoring is introduced, the employer must designate monitored rooms and monitored areas in a visible and legible manner, using appropriate signs or sound announcements, no later than one day before starting the monitoring;
- email monitoring systems should not violate the confidentiality of correspondence and other personal rights of employees;
- employers may only process the following personal data of applicants: name(s) and surname, date of birth, contact information, education, professional qualifications and employment record. An employer may require an applicant for the job to provide information relating to education, professional qualifications and employment record if such data is necessary to perform specified work or take the specified position;
- in addition, employers may process the following personal data from employees: residence address, national identification number (PESEL), identity card number, other data regarding the employee, his or her children and other family members (if such data is necessary to exercise special rights to which an employee is entitled pursuant to labour law), education and employment record (if this was not obtained during the application process) and the bank account number (if the employee did not request for payment of remuneration in cash); other data may be demanded from an employee if it is necessary to exercise rights or perform obligation under the relevant laws;
- the consent of an employee or applicant may serve as a basis for processing other personal data, excluding personal data relating to criminal convictions and offences. Lack of consent of an employee or applicant cannot trigger any negative consequences for that person. The consent of an employee or applicant may serve as a basis for processing sensitive personal data only if that person provided the data on his or her own initiative. However, processing the biometric data of an employee is lawful also if it is necessary for the purpose of controlling access to particularly important information, where disclosure may cause harm to the employer or control access to premises requiring special control; and
- managers of entities performing medical activities may indicate in their policies the monitoring of certain areas by CCTV. The recordings obtained in connection to the above, containing personal data, may be used by the medical entity only for the purposes for which they were collected and may be stored for a maximum of three months.
Q21/ Other material derogations
Are there any other material derogations from, or additions to, the GDPR under national law?
The GDPR and the Data Protection Act are not applicable to the processing of personal data by:
- selected financial sector units (i.e., public authorities, including government administration bodies, state control bodies, courts and tribunals, budgetary units, executive agencies, budget economy institutions, other state or local government legal entities established on the basis of separate acts in order to perform public tasks, excluding enterprises, research institutes, banks and commercial law companies) where the processing is necessary to perform tasks aimed at providing national security, if the specific laws provide the necessary means to protect laws and freedoms of the data subject; and
- intelligence services.
Q22/ Current legal challenges
Are there any current legal challenges (e.g., court cases or regulatory appeals) regarding the validity or operation of the national GDPR implementation law (e.g., claims that the law incorrectly applies the GDPR; claims that the law is incompatible with constitutional principles; etc.)?
There are no current legal challenges ongoing.
Q23/ Enforcement
Has the local DPA issued any material fines or taken any material enforcement action to date for breaches of the GDPR?
The DPA has taken some enforcement action, including the following:
- in March 2019, the DPA imposed a fine in the amount of almost PLN 1 million (approx. €232,000) on a company commercially providing business reports about other entities (companies and sole entrepreneurs) for a breach of Art. 14(1)-(3) GDPR. The fined company failed to perform its information obligation towards 6,671,368 sole entrepreneurs, whose data were processed by that company, because, as the company explained, it would involve disproportionate effort, i.e., it would involve very high costs (exemption from Art. 14(5)(b) GDPR). The DPA did not agree that the exemption was applicable in the circumstances of the case. In addition to imposing a fine, the DPA obliged the company to perform its information obligation towards all data subjects. This decision has been appealed to the Administrative Court; and
- in April 2019, the DPA fined a football association for publishing football referees’ personal data on its website, including their national identification numbers and residence addresses. The DPA found the scope of such disclosure to be too large, and the entity was found to have breached Arts. 5(1)(f), 32(1)(b) & 32(2) GDPR. The fine amounted to PLN 55,750 (approx. €13,000).
Q24/ Regulatory Guidance
Has the DPA issued any significant guidance on the application of the GDPR or national implementation law?
The DPA has issued the following guidance on the application of the GDPR and/or GDPR implementation law:
- guidance on GDPR compliance for electoral campaigns (see here (in Polish));
- guidance on GDPR compliance in educational institutions (see here (in Polish));
- guidance on understanding the risk-based approach (see here (in Polish)); and
- guidance on GDPR compliance for employers (see here (in Polish)).
Other chapters
- Foreword and issue-by-issue comparison
- Country-by-country guides:
———
See also:
Our Global Data, Privacy & Cybersecurity Practice »
GDPR Handbook: Unlocking the EU General Data Protection Regulation »
———
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP