Poland: New rules on cookies and data breach notification

08 January 2013

Emilia Stępień

New rules on cookies and data breach notification will come into effect on 22 March 2013, 90 days after the publication of the Act on 16 November 2012. This amended the Telecommunication Law and other laws (the Act) in the Official Journal [1]. This will come into effect on 21 January 2013.

The Act implements Directive 136/2009 (25 November 2012) into the Polish Telecommunication Law (16 July 2004), with the new rules on cookies and data breach notification affecting the telecommunications sector only.

I. Cookies

The ‘opt-in’ model

The Act provides for the ‘opt-in’ model, where informed consent should be obtained from the end-user or subscriber of the telecommunication services before cookies are stored in or are accessible on the subscriber’s device. Such consent can be expressed by software settings, including browser settings. Storage and access to cookies cannot lead to a change in the configuration of the subscriber’s device or the software installed on such device.

Consent for cookies is not required when storage or access to cookies is necessary to:

  • carry out transmission in the public network, or

  • provide an electronic service

Informed consent

The storage of, and access to, cookies will only be allowed if the subscriber is informed in advance (directly, unambiguously and in an easily understandable manner) about:

  • the purpose of storage and gaining access to cookies,

  • the possibility to determine the terms of storing and gaining access to cookies by appropriate software  settings.

After obtaining the above information, the subscriber may consent to the storage or the accessibility to cookies. Such consent can be expressed by software/service settings, including browser settings.

The Act provides that the subscriber, upon obtaining the aforementioned information, will be able to express their informed consent by configuring browser settings or by leaving the default settings, allowing the storage and access to cookies.

Scope of application

The new rules on cookies will only apply to telecommunication undertakings providing telecommunication services to their subscribers.  This is because the Act regulates the provision of telecommunication services providing telecommunication services (unless expressly provided for in a particular provision that the Act applies to other entities – which is not the case when it comes to cookies). Therefore, it seems the new rules should not directly apply to entities such as electronic service providers or third party advertisers.  


Poland has reached a cross road with the implementation of the new cookie rules. On one hand, if the NRA (the Office for Electronic Communication) interprets the Act in line with its justification, the informed consent model may in fact be closer to an ‘opt–out’ model (where appropriate information combined with default browser settings will suffice for the informed consent). However, the Polish Data Protection Authority (the General Inspector for Personal Data Protection) - the “DPA”, has recently raised its concerns that browser settings are not sufficient from a privacy perspective.  

II. Data Breach Notification

The Act introduces an obligation on providers of publicly available telecommunication services (the PTS) to notify cases of personal data breach. Such breach is understood as accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access to personal data.

Notification: who, when and how?

The DPA should always be informed about personal data breach. In addition, in cases of the personal data breaches that are likely to adversely affect the personal data or privacy of a subscriber or an individual end-user, the PTS must also notify the subscriber or the end-user. Adverse affects are likely when the breach may result in the unlawful use of personal data, substantial damage to property or moral injury; and the disclosure of banking secrecy or other statutory protected professional secrecy.

The DPA and the subscribers should be notified immediately, but no later than within 3 days of the discovery of the personal data breach.

The Act lists information that should be covered by the notice. That includes, amongst others, description of the nature of the data breach, consequences of the data breach and the proposed remedies. Additionally, notification to the DPA should indicate whether the affected subscribers were informed.

Exemption from notification

The PTS is exempt from notifying the subscribers and end-users if the PTS implemented appropriate security measures which rendered the data unintelligible to any unauthorized third party and such measures were applied specifically to the data concerned by the breach.


The PTS is obliged to run an inventory of personal data breaches.

Lack of notification

In case the PTS fails to appropriately notify the DPA or the subscribers, the DPA may order appropriate notification.

This article was written by:

Emilia Stępień
Senior Associate

[1] Official Journal no. 1445 of 21 December 2012, which is available in Polish here: http://dziennikustaw.gov.pl/du/2012/1445/1