Poland

Privacy Culture

In recent years Poland became a vital European and global centre for business support services. Many multinational companies open there their so called centres of excellence, which entails intensive data transfers from and to Poland. Therefore, there should be no doubt about the increasing importance of data protection & privacy in Poland.

According to the EuroBarometer Survey on Data Protection issued by the European Commission only 21 % of the respondents feel that they have no control over their information provided online. This result constitutes a big difference between what Polish and respondents from other EU countries think. 31% of European respondents claim to be concerned about the level of control over their information provided online.

Legal History

Due to progressing democratization of public life after 1989, the protection of privacy of every citizen has found an expression in the new Constitution of the Republic of Poland adopted in 1997 (Konstytucja Rzeczpospolitej Polskiej z dnia 2 kwietnia 1997). The Constitution guarantees everyone's right to privacy and everyone's right to have the information pertaining to him/her protected. Additionally, as a member of European Union, Poland implemented EU Data Protection Directive 95/46/EC in Personal Data Protection Act of 29 August 1997 (Ustawa z dnia 29 sierpnia 1997 r. o ochronie danych osobowych or 'PDPA'). The PDPA remains the most comprehensive act regulating the processing of personal data, and it covers any operation performed on personal data.

The act governs the collection, recording, storage, organisation, alteration, disclosure and deletion of personal information by data controllers. In addition, data controllers are under obligation to comply with executive acts of the PDPA. The most important regulations influencing the processing of personal data are:
The regulation of the Minister of Interior and Administration of April 29, 2004 on the documentation of personal data processing, and technological and organizational conditions which shall be met by devices and IT systems used for personal data processing, (Rozporządzenie Ministra Spraw Wewnętrznych i Administracji z dnia 29 kwietnia 2004 r. w sprawie dokumentacji przetwarzania danych osobowych oraz warunków technicznych i organizacyjnych, jakim powinny odpowiadać urządzenia i systemy informatyczne służące do przetwarzania danych osobowych);
The regulation of the Minister of Interior and Administration of December 11, 2008 on the sample of the declaration form necessary for the registration of personal data set to the Inspector General for the Protection of Personal Data (Rozporządzenie Ministra Spraw Wewnętrznych i Administracji z dnia 11 grudnia 2008 r. w sprawie wzoru zgłoszenia zbioru danych do rejestracji Generalnemu Inspektorowi Ochrony Danych Osobowych);
The regulation of the Minister of Administration and Digitization of December 10, 2014 on the sample of the declaration form necessary for appointment and dismissal of information security administrator. (Rozporządzenie Ministra Administracji i Cyfryzacji z dnia 10 grudnia 2014 r. w sprawie wzorów zgłoszeń powołania i odwołania administratoa bezpieczeństwa informacji).
The processing of personal data in certain industries is also influenced by sector specific laws, such as:
Telecommunication sector - The Telecommunications Act of 16 July 2004;
Banking sector - The Banking Act of 29 August 1997.

Enforcement and Court Action

The public body responsible for administrative enforcement of the PDPA is the General Inspector of Personal Data Protection (Generalny Inspektor Ochrony Danych Osobowych or 'GIODO'). Should any breach of the PPDA occur the GIODO can, acting either ex officio or upon a motion of a person concerned, issue an administrative decision ordering compliance with the law. The GIODO can order, in particular:

to remedy the negligence,
to complete, update, correct, disclose, or not to disclose personal data,
to apply additional measures protecting the collected personal data,
to suspend the flow of personal data to a third country,
to safeguard the data or to transfer data to other subjects,
to erase the personal data.

In Poland, there are three possible procedures to seek a remedy in case of personal data protection violation: administrative action, civil action, and criminal procedure. The GIODO is not authorised to issue financial penalties in cases of violations of the personal data protection law. However, non-compliance with decisions of the GIODO may result in a fine ranging from 12.000,00 EUR to 50.000,00 EUR. In addition, the GIODO may order the performance of audit by its inspectors. In case the inspection reveals that the action or failure in duties of the data controller bears attributes of an offence within the meaning of the PPDA, the GIODO can refer the case to a proper prosecuting body. The head of an organisational unit, its employee or any other natural person acting as data controller that are found liable for the PPDA offence may be subject to imprisonment of up to three years or a partial restriction of freedom up to twelve months. Moreover, a court may impose on individuals a fine up to 270.000,00 EUR. 

Corporate Risk

The number of complaints received by the GIODO is steadily increasing each year. In 2013 and 2012 the GIODO received 1,900 and around 1,600 complaints respectively. In 2013 the Office's employees conducted 173 controls. In 2014 nearly 2,500 complaints were submitted from data subjects on the ground of improper processing of their personal data. The GIODO made approximately 1,200 decisions that year, nearly a half of which was related to data filing system registrations. The number of complaints was the highest in telecommunications and financial sector. Nevertheless, in majority of cases companies and individuals comply with the GIODO's decisions. In 2013, the GIODO imposed only two enforcement penalties each amounting to 6.000,00 EUR. 

In general, data protection matters tend to be discontinued by the police due to low social harmfulness. Most notably, the number of complaints per capita is very low. In GIODO's 2013 annual report, Mr Wojciech Wiewiórowski, has appealed to the Sejm of the Republic of Poland (the lower chamber of the Polish Parliament) to increase the Office's budget. The GIODO pointed out that the annual number of complaints is increasing and the budget remains the same for many years. The GIODO already has a serious problem in fulfilling its statutory duties and without additional funds its role will be further marginalised. Well-qualified staff, who used to work for the GIODO, move to work for the private sector. The low number of complaints may indirectly result from this problem. The necessity to process the growing number of complaints together with not sufficient number of employees working for the Office may explain the lack of time and resources to conduct educational projects and raise awareness on data privacy & protection. 

Future Outlook

As a general rule of the EU data protection law, transfer of personal data to third countries (a country outside the European Economic Area) that do not provide an 'adequate level' of data protection requires, among other statutory requirements, obtaining either the prior written consent of every data subject or prior consent of a data protection authority. However, in November 2014 certain provisions of the PDPA were amended allowing certain Polish data controllers the ability to transfer personal data to third countries that do not provide an 'adequate level' of data protection without the necessity to obtain a prior approval of the GIODO or the data subject. The rationale behind this amendment was to reduce the regulatory burden of the GIODO and was introduced to legal systems of many other EU member states. 

Nevertheless, only data controllers that either execute standard contractual clauses approved by the European Commission, or have implemented Binding Corporate Rules approved by the GIODO are allowed to do so. Under the new regime it is no longer mandatory to appoint an administrator of information security (administrator bezpieczeństwa informacji or 'ABI'). Nevertheless, the data controller that does not appoint ABI has to itself assume duties imposed on ABI by the PDPA. An ABI is obliged to ensure compliant personal data processing, to maintain appropriate documentation, to maintain a publicly available register of data filing systems and to verify compliance of data processing with the applicable rules upon the DPA’s request. The amendment became effective on January 1, 2015.

Poland will also be affected by the newly adopted General Data Protection Regulation and its new stricter requirements. Among other things it will affect the powers of GIODO. In May 2018, when the GDPR will enter into force the GIODO will be able to impose monetary penalties that will be significant with a maximum fine of 4% annual global turnover or up to 20m EUR, whichever is higher.

Sources

1. DataGuidance, Global Privacy Enforcement Report 2015 [Cecile Park Publishing Ltd.]

2. European Commission, EROBAROMETER Survey on Data Protection, 28/02/2015 – 09/03/2015
http://ec.europa.eu/public_opinion/archives/ebs/ebs_431_fact_pl_en.pdf 

3. Pricewaterhouse Coopers Legal LLP, Privacy and Security Enforcement Tracker, March 2015
http://pwc.blogs.com/data_protection/2015/03/enforcement-tracker-download-here.html 

4. General Inspector of Personal Data Protection, Polish Legal Acts Concerning the Protection of Personal Data
http://www.giodo.gov.pl/144/id_art/168/j/en/ 

5. Linklaters, Poland- Privacy amendments to encourage entrepreneurs, 08/12/2014
http://www.linklaters.com/Insights/Publication1403Newsletter/TMT-News-8-December-2014/Pages/Poland-Privacy-amendments-encourage-entrepreneurs.aspx 

6. General Inspector of Personal Data Protection, GIODO Annual Report 2013
http://www.giodo.gov.pl/data/filemanager_pl/sprawozdaniaroczne/2013.pdf 



Data Privacy Recruitment Ltd. 

All rights reserved. All opinions expressed to be treated strictly as guidance and not as legal advice. 

September 2016
London, the United Kingdom