WKB Wiercinski, Kwiencinski, Baehr
What law(s) specifically govern personal data / information?
Similar to other EU countries, the primary legal act regulating the protection of personal data in Poland is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”). In accordance with the general principles of EU law, it is directly applicable within the Polish legal system.
In addition to the GDPR, the Act of 10 May 2018 on the Protection of Personal Data is also in force in Poland, ensuring the effective implementation of the GDPR. Moreover, there are specific provisions that cover job candidates’ and employees’ personal data processing, including monitoring, which are stipulated in the Polish Labor Code. It is also worth noting that online forms of marketing and cookie use, which are inextricably linked to personal data, are covered in the Electronic Communications Law that has come into force in 2024.
What are the key data protection principles in this jurisdiction?:
The key principles of data protection derive directly from the GDPR. These include:
A data subject’s personal data must be processed lawfully, meaning there must be a valid legal basis for the processing (e.g., consent, contract, legal obligation, public interest, or legitimate interest).
A data subject’s data must be processed fairly, ensuring that their rights are respected and that the processing does not cause harm or unfair disadvantage.
A data subject must be clearly informed about how their personal data is being used, who is processing it, and for what purposes.
A data subject’s personal data must be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
A data subject’s personal data must be accurate and, where necessary, kept up to date. Inaccurate data should be corrected or deleted without delay.
A data subject’s personal data should be kept in a form that allows identification of the data subject only for as long as necessary for the purposes of processing. However, this general rule is supplemented by specific provisions of Polish law (e.g. regarding CCTV employee monitoring, which obliges employers to store the recordings for a maximum period of 3 months).
- integrity and confidentiality
A data subject’s personal data must be processed securely to protect against unauthorised or unlawful processing, accidental loss, destruction, or damage.
The controller is responsible for complying with these principles and must be able to demonstrate such compliance.
What is the supervisory authority / regulator in charge of data protection?
Agency of Access to Public Information (AAIP).
The supervisory authority responsible for data protection is the President of the Personal Data Protection Office.
Is there a requirement to register with a supervisory authority / regulator?
No, the provisions do not impose such an obligation.
Is there a requirement to notify the supervisory authority / regulator?
The most important obligation concerning notifications to the supervisory authority is the reporting of personal data breaches. When a data breach results in any risk to the rights and freedoms of the data subject, the controller is obliged to report this fact to the President of the Personal Data Protection Office within 72 hours of becoming aware of the breach. Failure to meet this deadline entails consequences and may result in the authority imposing a fine.
This is a substantial difference with regard to previous practice of the President of the Personal Data Protection Office. Until the beginning of 2025, the Polish controllers were expected to report personal data breaches that posed medium to high risk. At the beginning of 2025, the Polish supervisory authority has issued guidelines that oblige the controllers to also report breaches resulting in low risk to rights and freedoms of the data subjects.
The second reporting obligation relates to the appointment and dismissal of a Data Protection Officer (“DPO”) – the controller or the data processor must notify the supervisory authority within 14 days of appointing a DPO in the organisation.
Is it possible to register with / notify the supervisory authority / regulator online?
Yes, both the reporting of personal data breaches and the notification of the appointment or dismissal of a DPO can be carried out online. The relevant forms, as well as detailed guidelines, are available on the website of the President of the Personal Data Protection Office.
What are the key data subject rights under the data protection laws of this jurisdiction?
Under the GDPR, the data subject has the right to:
- information on how personal data is processed
A data subject has the right to be informed about who is processing their personal data (the controller), the purposes of processing, the retention period, potential recipients, and other relevant information necessary to ensure fair and transparent handling of their data (Articles 13–14 GDPR);
A data subject has the right to access the personal data held about them, including information on the purposes of processing, categories of data, and recipients. A data subject may also request a copy of their personal data (Article 15 GDPR).
- rectification of personal data
A data subject has the right to have inaccurate or incomplete personal data corrected or completed (Article 16 GDPR).
- erasure of personal data (‘the right to be forgotten”)
A data subject has the right to request erasure of their personal data in certain circumstances, such as when the data is no longer necessary, consent is withdrawn, or the data has been unlawfully processed (Article 17 GDPR).
- restriction of personal data processing
A data subject has the right to request restriction of processing, meaning that their personal data can only be stored or processed for certain limited purposes (Article 18 GDPR).
- Personal data portability
A data subject has the right to receive their personal data in a commonly used digital format and transfer it to another controller, or have it transmitted directly between controllers, where technically feasible (Article 20 GDPR).
A data subject has the right to object to the processing of their personal data on grounds relating to their particular situation, especially where the processing is based on public interest or the legitimate interest of the controller. A data subject also has the right to object to processing for direct marketing purposes, including profiling.
A data subject has the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects for them (Article 22 GDPR).
A data subject has the right to withdraw any consent previously given for the processing of their personal data at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal (Article 7(3) GDPR).
In addition, the data subject may lodge a complaint with the President of the Personal Data Protection Office regarding the improper processing of their personal data. In Poland, this can be done both electronically or in writing.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes, the obligation to appoint a DPO arises in the following cases:
- where the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- where the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, scope, or purposes, require regular and systematic monitoring of data subjects on a large scale;
- where the core activities of the controller or the processor consist of large-scale processing of special categories of personal data referred to in Article 9(1) of the GDPR and of personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR.
The appointment of a DPO must be notified electronically to the President of the Personal Data Protection Office within 14 days of designation. Furthermore, pursuant to Article 11 of the Act of 10 May 2018 on the Protection of Personal Data, there is a legal obligation to publish the DPO’s details - namely the name and either an e-mail address or a telephone number - on the controller’s website, or, if no website is maintained, to make this information generally available at the place of business.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Yes, pursuant to Article 35 of the GDPR, carrying out a Data Protection Impact Assessment (“DPIA”) is mandatory whenever a type of processing, due to its nature, scope, context, and purposes, is likely to result in a high risk to the rights or freedoms of natural persons. Moreover, the President of the Personal Data Protection Office expects the controllers to conduct a DPIA in specific cases, which are discussed in supervisory authority’s guidelines and a list of processing operations that require a DPIA. According to the President of the Personal Data Protection Office, a DPIA is mandatory in cases where processing is likely to result in a high risk to individuals’ rights and freedoms, such as large-scale processing of sensitive data, systematic monitoring of public areas, or the use of biometric and genetic data for identification. The DPIA list published by the President of the Personal Data Protection Office also includes examples like large-scale employee monitoring, processing of patients’ health data with automated tools, and real-time geolocation tracking.
Does this jurisdiction have any specific data breach notification requirements?
Reporting personal data breaches is mandatory for controllers within 72 hours of becoming aware of such an event. The notification can be submitted electronically and if the controller does not possess full, detailed information on the circumstances or the scope of the breach, the controller may report it via a preliminary notice, with a supplementary notice to follow.
Regarding when to report a breach, a useful reference for controllers may be the guide “Obligations of Controllers Related to Personal Data Breaches” issued by the President of the Personal Data Protection Office in February 2025; however, it should be noted that this material is for guidance purposes only and does not constitute a legally binding source of law. Nevertheless, it depicts Polish supervisory authority’s approach regarding personal data breach handling.
What restrictions apply to the international transfer of personal data / information?
Aside from the general personal data transfers rules stipulated in Chapter V of the GDPR, the provisions of Polish personal data protection law do not set specific restrictions to personal data transfers. This means that, the international transfer of personal data to countries outside the European Union/European Economic Area is permitted to countries that ensure an adequate level of data protection recognised by the European Commission (“EC”) via an adequacy decision.
An alternative is to use the standard contractual clauses (“SCCs”) provided by the EC, binding corporate rules (BCR), or other mechanisms approved by the EC. In any case, a transfer impact assessment (“TIA”) must be performed and documented.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, any organisation processing personal data in Poland must comply with the applicable personal data protection regulations, including the GDPR and local personal data protection laws (e.g. Labour Code if an organisation employs employees). Failures in this area pose a significant risk of sanctions being imposed by the supervisory authority.
What rules specifically deal with marketing?
In Poland, marketing is regulated by several legal regimes:
GDPR:
- regulates the processing of personal data for marketing purposes;
- the legal basis for processing is most often the consent of the data subject;
- it is important to comply with the information obligations arising from Articles 13 and 14 of the GDPR.
Act on Competition and Consumer Protection:
- marketing practices must not mislead consumers or violate collective consumer interests;
- content of an advertising or marketing nature must be clearly identified in social media.
Act on Counteracting Unfair Market Practices:
- regulates aggressive marketing and intrusive sales activities.
Electronic Communications Act:
- regulates the distribution of commercial information, including direct marketing, via channels such as e-mail, telephone calls, SMS/MMS, push notifications and introduces obligation to collect consent for distributing this information;
- regulates the rules for cookie collection, including the instances in which user’s consent for specific cookie category is required.
Do different rules apply to business-to-business and business-to-consumer marketing?
In the B2C (business-to-consumer) model, greater emphasis is placed on the protection of natural persons as consumers, arising from the GDPR and the Electronic Communications Law. Conducting direct marketing activities or even sending commercial information, require the consent of the recipient. Profiling and online ad targeting are also subject to data protection regulations. Consumers benefit from additional protection under consumer law, which prohibits misleading practices.
In the B2B (business-to-business) marketing model, the recipient’s consent is also required for sending commercial communications, including direct marketing.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Electronic marketing is regulated by the Electronic Communications Law.
Sending unsolicited commercial communications, including direct marketing, is prohibited. Conducting direct marketing activities requires the explicit, informed, and voluntary consent of the end user (recipient), which, in addition to meeting GDPR requirements, should be obtained separately for each communication channel (SMS, e-mail, push or any other applicable).
What rules specifically deal with cookies?
The collection and use of cookies is regulated by the GDPR and the Electronic Communications Law.
Both a cookie banner, a consent management tool and cookie policy must be provided on the controller’s website. Users should have the right to manage their consents through the cookie banners and no cookies other than necessary can be installed without user’s consent.
What are the consequences of non compliance with data protections laws (including marketing laws)?
The President of the Personal Data Protection Office is empowered to impose sanctions in the form of administrative fines. The principle is that the sanction should be effective, proportionate, and dissuasive.
When imposing a penalty, the supervisory authority takes into account, in particular, factors such as:
- the nature, gravity, and duration of the infringement;
- the number of affected individuals and the categories of personal data;
- the extent of the damage;
- whether the infringement was intentional or unintentional, and the degree to which the controller or processor contributed to the infringement (including in the context of technical and organisational measures applied).
There are two categories of breaches to the GDPR and corresponding maximum fines:
- If a controller fails to fulfil one of its obligations a fine of up to EUR 10 million, or a fine of 2% of the worldwide annual turnover, if that amount is higher can be imposed on the company.
- If a controller violates the principles or foundations of the GDPR or the privacy rights of the data subjects, then a fine of up to EUR 20 million, or a fine of 4% of the worldwide annual turnover, if that amount is higher can be imposed on the company.
In the case of less severe infringements, the authority may issue a warning and order the restriction of processing or the deletion of data.
There is one exception to this general GDPR rule. In Poland, public sector entities such as municipalities, schools, or public hospitals are subject to a cap on GDPR fines, limited to 100.000 PLN, regardless of the general EU thresholds. Additionally, churches and religious associations with their own supervisory bodies handle sanctions internally, rather than through the President of the Personal Data Protection Office.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
In addition to complying with the GDPR, international organisations processing personal data in Poland should pay attention to the potential obligation to appoint a DPO and its notification to the President of the Personal Data Protection Office, as well as publishing the DPO’s contact details available on the controller’s website. Moreover, special attention must be drawn to the organisations who employ data subjects in Poland, as they are subject to specific data processing regulations regarding employment. The controllers should also remember that certain DPIAs are mandatory in Poland (e.g. related to employee monitoring) and that personal data breaches that pose at least minimal risk to data subjects’ rights and freedoms, must be notified to the supervisory authority.
What upcoming data protection developments should multinational organisations be aware of?
Attention should be given to a range of obligations arising from regulations on artificial intelligence (AI) and metadata and their intersection with personal data protection rules. Another area of growing importance is regulations related to the processing of health data. In this regard, it is advisable to monitor legislative developments concerning the European Health Data Space (EHDS).