The main legislation concerning privacy in Poland is the GDPR. The national regulation which supplements the provisions of the GDPR is the Personal Data Protection Act of 10 May 2018 (the “Personal Data Protection Act”).

Another key act is the Act of 21 February 2019 on the amendments of some legal acts in connection with the implementation of the GDPR (the “Amending Act”). The purpose of this act was to adjust the Polish legal system to the requirements of the GDPR. The Amending Act introduced changes to almost 170 legal acts.

Privacy of electronic communication is regulated in the Act of 12 July 2024, the Electronic Communications Law.

There are numerous legal acts that regulate specific areas of privacy law, such as employee privacy (e.g., the Labour Code), whistleblower protection, and privacy in the banking, insurance or healthcare sectors. 

The GDPR applies to controllers (including joint controllers), processors, recipients and data subjects.

“Controller” means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 4(7) of the GDPR).

“Joint controllers” are two or more data controllers jointly determining the purposes and means of processing (Article 26(1) of the GDPR). 

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller (Article 4(8) of the GDPR).

“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data is disclosed (Article 4(9) of the GDPR). However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with law shall not be regarded as recipients.

“Data subject” is an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1) of the GDPR).

The GDPR applies to any organisation operating within the EU (regardless of whether the processing takes place in the EU or not), as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU.

Processing personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4(2) of the GDPR).

The GDPR defines personal data as any information relating to an identified or identifiable natural person, i.e., one who can be identified, directly or indirectly, in particular, by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1) of the GDPR).

The GDPR distinguishes special categories of personal data, i.e., personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (Article 9(1) of the GDPR).

Personal data relating to criminal convictions and offences or related security measures is not listed as special category data, but is also subject to additional restrictions in processing (Article 10 of the GDPR).

Pseudonymised data qualifies as personal data. Under the GDPR, pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person (Article 4(5) of the GDPR).

Anonymous data does not qualify as personal data. Under Recital 26 of the GDPR, the principles of data protection do not apply to anonymous information, namely, information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or is no longer identifiable. 

The GDPR distinguishes special categories of personal data, that is, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Biometric data is personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (Article 4(14) of the GDPR).

Personal data relating to criminal convictions and offences or related security measures is also subject to additional restrictions in processing (Article 10 of the GDPR).

The lawful bases for processing personal data vary depending on the type of data. 

The processing of so-called “common data” is lawful only if and to the extent that at least one of the following legal bases provided in the GDPR applies:

• the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• processing is necessary for compliance with a legal obligation to which the data controller is subject;
• processing is necessary in order to protect the vital interests of the data subject/another natural person;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
• processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular, where the data subject is a child.

The processing of special categories of data is generally prohibited; however, it may be lawful only if and to the extent that one of the following legal bases provided in the GDPR applies:

• the data subject has given explicit consent to the processing of his or her personal data for one or more specific purposes;
• processing is necessary to carry out the obligations and exercise specific rights in the field of employment, social security and social protection (if authorised by law);
• processing is necessary to protect the vital interests of the data subject/another natural person;
• processing is carried out in the course of its legitimate activities with appropriate safeguards by not-for-profit bodies;
• processing of the data that was manifestly made public by the data subject;
• processing is necessary for the establishment, exercise or defence of legal claims or judicial acts;
• processing is necessary for reasons of substantial public interest (with a basis in law);
• processing is necessary for health or social care (with a basis in law);
• processing is necessary for reasons of public interest in the area of public health (with a basis in law); 
• processing is necessary for archiving, research and statistics (with a basis in law).

In terms of personal data relating to criminal convictions and offences or related security measures, it may be processed only under control of an official authority or when processing has a basis in law that provides appropriate safeguards for the rights and freedoms of data subjects. 

Processing personal data on the basis of consent

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (Article 4(11) of the GDPR).

For consent to be valid, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data is intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not constitute consent. 

Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

The GDPR establishes the following principles of personal data protection:

• Lawfulness, fairness and transparency. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
• Purpose limitation. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• Data minimisation. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
• Accuracy. Personal data shall be accurate and, where necessary, kept up to date.
• Storage limitation. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
• Integrity and confidentiality. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
• Accountability. The data controller shall be responsible for, and be able to demonstrate compliance with, all the other principles described above.

Personal data breaches

Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (Article 4(12) of the GDPR).

The general principles of notifying data breaches and informing data subjects about data breaches arise from Articles 33 and 34 of the GDPR. Additionally, there are some Polish sectoral regulations (e.g. for the telecommunications sector) that amend the rules resulting from the GDPR (for example by shortening time for the data breach notification to 24 hours).

Data controllers are obliged to notify the data protection breach within 72 hours after having become aware of it. There is no materiality threshold; however, the controller is exempted from the notification obligation if the breach is unlikely to result in a risk of the rights and freedoms of natural persons.

The GDPR provides the following rights for individuals:

• The right to be informed about the collection and use of personal data. (In principle, the information should be provided at the time of collecting the data.)
• The right of access to the personal data the controller holds about the data subject, including the right to obtain a copy of personal data.
• The right to rectification. The data subject can exercise his/her right if any personal data the data controller holds about an individual is inaccurate or incomplete.
• The right to erasure (“the right to be forgotten”), i.e., the right to ask the data controller to delete any personal data it holds about the data subject. The data subject can exercise his/her right if: 
  • the personal data is no longer necessary in relation to the purposes for which it was collected by the data controller; 
  • the individual withdraws consent to the processing of data (in the scope covered with consent); 
  • the individual objects to the processing of data; 
  • the personal data has been unlawfully processed; 
  • the personal data has to be erased for compliance with a legal obligation; or 
  • the personal data has been collected in relation to the offer of information society services provided for children.
• The right to restriction (i.e., preventing) the processing of the data subject’s personal data. The data subject can exercise his/her right if: 
  • the data is inaccurate for a period enabling the data controller to verify the accuracy of the personal data; 
  • the processing is unlawful but the individual opposes the erasure of the personal data; 
  • the data controller no longer needs the data but the individual requires the data for the establishment, exercise or defence of legal claims; or
  • the individual objects to the processing, pending the verification of whether the legitimate grounds of the data controller override her/his rights.
• The right to data portability. The data subject can exercise his/her right if the processing is based on the individual’s consent or on contract with the individual and the processing is carried out by automated means.
• The right to object to processing of the data subject’s personal data for particular purposes. Individuals have an absolute right to stop their data being used for direct marketing. Individuals also have the right to object on grounds relating to their particular situation, at any time when processing of their personal data is based on the legitimate interest of the data controller or if the data is processed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In this case, the data controller shall demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual or for the establishment, exercise or defence of legal claims.
• The right to withdraw the consent at any time, wherein the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
• The rights in relation to automated decision-making and profiling. Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning her/him or similarly significantly affects her/him (unless the decision is necessary for entering into, or the performance of a contract between the data controller and the individual, is authorised by law, or is based on the individual’s explicit consent). 

Additional remarks and exceptions for selected rights:

• In relation to the right to be informed, the data controller may resign from the obligation to inform in the following cases: 
  • where the individual already has the information; 
  • if the provision of such information proves impossible or would involve a disproportionate effort; 
  • if obtaining or disclosure is expressly laid down by law and provides appropriate measures to protect the data subject’s legitimate interests; 
  • in cases of professional secrecy, where the personal data must remain confidential subject to an obligation of professional secrecy regulated by law.
• In relation to the right to erasure, the controller may refuse to delete the data when the processing is necessary for:
  • exercising the right of freedom of expression and information; 
  • compliance with a legal obligation; reasons of public interest in the area of public health;
  • archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or
  • the establishment, exercise or defence of legal claims.

The most important requirements and restrictions stem from the GDPR, the Electronic Communications Law, the Act on Combating Unfair Competition, as well as the Act on Combating Unfair Market Practices and the Act on Competition and Consumer Protection.

As a rule, it is prohibited to send unsolicited commercial information by electronic means of communication to defined recipients being natural persons. Sending such information is permissible if the recipient has given his/her consent.

In addition, it is important to note that most direct online marketing activities (such as email marketing or newsletters) entail the need to process the personal data of customers to whom such actions are addressed and, thus, comply with the GDPR. If an entity is considered a controller, it must be able to demonstrate the legal basis for the processing of personal data. In practice, online marketing is usually conducted on the basis of the customer’s consent.

If the transfer of personal data is to take place outside the European Economic Area, it is permitted when:

• the European Commission has decided that a third country ensures an adequate level of protection;
• appropriate safeguards are provided, such as Standard Contractual Clauses or Binding Corporate Rules, or an approved code of conduct, and simultaneously data subject rights are enforceable and effective legal remedies for data subjects are available;
• specific situations occur, e.g., on the basis of the data subject’s explicit consent or in cases when the transfer is necessary for the performance of a contract between the data subject and the controller or if it is necessary in order to establish, exercise or defend legal claims. 

One authority body responsible for enforcing data privacy is the President of the Personal Data Protection Office (supervisory authority). The key investigative powers of the supervisory authority include:

• the power to order a data controller or a processor, and, where applicable, a controller’s or a processor’s representative, to provide any information it requires for the performance of its tasks;
• to carry out investigations in the form of a data protection audit;
• to notify a data controller or processor of an alleged infringement of the GDPR; and
• to obtain access to all personal data and information necessary for the performance of its tasks as well as to obtain access to any premises of the data controller or processor.

The key corrective powers of the supervisory authority include:

• issuing warnings, reprimands and various orders regarding compliance;
• imposing a temporary or definitive limitation including a ban on processing;
• imposing administrative fines in addition to or instead of other measures; and
• suspending data flows. 

Infringements of the GDPR identified by the supervisory authority may result in imposing an administrative fine of up to EUR 20 million, or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. The Data Protection Act lowers the level of these administrative fines for public authorities to the maximum level of PLN 100,000 (approximately EUR 25,000).

Any individual who has suffered material or non-material damage as a result of the infringement of data protection law in relation to processing of her/his data has the right to receive monetary damages or compensation. The GDPR formulates the principle of full compensation.