Poland

The Personal Data Protection Act (PDPA) is in force. The Act on Changes to the Sectoral Acts (ASA) came into force on 4 May 2019.

The old Data Protection Law has been repealed and replaced by the PDPA. The Inspector General for Personal Data Protection (GIODO) has been replaced by the President of the Personal Data Protection Office (Prezes UODO). The ASA introduces amendments to existing sectoral acts (more than 160 acts) in order to ensure compliance with the GDPR.

The PDPA became law on 25 May 2018. It is uncertain when the ASA will become the law, it is highly possible that it will happen at the end of 2018/beginning of 2019.

Areas where Member States must have local laws:

The PDPA provides that same provisions of the GDPR will not apply where personal data is processed for journalistic purposes, artistic or literary expression (the following articles of the GDPR will not apply: 5-9, 11, 13-16, 18-22, 27, 28 (2)-(10), 30) or for academic purposes (the following articles of the GDPR will not apply: 13, 15 (3)-(4), 18, 27, 28 (2)-(10),  30).

Criminal sanctions for: (i) unpermitted and unauthorized processing, (ii) jeopardizing or impeding a UODO inspection, (iii) failure to provide UODO with data necessary to determine the basis for an administrative fine.
Additionally, the ASA introduced changes to the Criminal Code that penalize the threat of causing criminal proceedings or other proceedings in which an administrative pecuniary penalty may be imposed. This change is aimed at counteracting GDPR fraud.

Areas where Member States may have local laws:

The UODO's right of access to information and personal data will be limited by professional secrecy.

The UODO, and employees of the Office, will be obliged to maintain the secrecy of information that has come to their knowledge in connection with the exercise of their official duties.

The ASA adjusts the Act on Higher Education regulating data processing for scientific research purposes. The changes apply only to entities and institutions listed in the abovementioned act. The changes include:

• Articles 15, 16, 18 and 21 of the GDPR are excluded if it is likely that the law specified in these provisions will prevent or seriously impede research and development purposes and if the mentioned exemptions are necessary to achieve these goals
• The processing of special category data for scientific research purposes is permitted provided that the publication of the results takes place in a way that prevents the identification of individuals
• An obligation to implement specific security measures for personal data processing in relation to scientific research.

Other changes envisaged for the public sector concern the following acts:

• the Act on Official Statistics (including, i.a., an exclusion of the application of Articles 15, 16, 18 and 21 of the GDPR, prohibition the collection of special categories of data and  data related to criminal offences on the basis of an obligation in statistical surveys conducted with the participation of natural persons),
• the Act on the National Archival Resources and Archives (including, i.a., a limitation of the application of Articles 16 and 18 of the GDPR).

The ASA provides changes to the Act on the Information System in Health Care, under which data included in medical records can be made available for the purpose of conducting scientific research and for statistical purposes only in anonymized form.

Employers are obliged to request an exhaustive list of data categories from job candidates and employees as set out in the Labour Code; if they want to collect more data directly from job candidates and employees, then consent is required, unless there is a special provision of law that entities can process such data (e.g. criminal convictions of management board members).

However, the processing of a candidate/employee's special categories of personal data by a (potential) employer on the basis of his/her explicit consent is not permitted unless such data is provided t the candidate’s/employee’s initiative. It is also prohibited in all circumstances for a (potential) employer to process a candidate’s/employee's personal data relating to criminal convictions and offences even if such processing is based on his/her consent. The only basis for such processing is a legal obligation.

An employer may (i) use CCTV for the purpose of ensuring employees' security, protecting the employer's property, production control, and information security; and (ii) monitor employees' emails and use other monitoring methods for the purpose of ensuring that emails are appropriate for the work organization and that employees are making full use of their working hours and appropriate use of the working tools made available to them. The Labour Code sets out more specific rules on employees' monitoring.

No provisions

16 years

Changes applicable to the private sector include, e.g., changes to (i) the Act on Insurance and Reinsurance Activity, enabling insurance companies to process personal data, including health data, in an automated manner, including through profiling, in order to assess insurance risk and perform insurance contracts; (ii) the Public Procurement Law, which provides that the transparency principle is not applicable to special categories of personal data collected in a procurement procedure; and (iii) the Banking Law, prohibiting banks from using special categories of data to make decisions based solely on automated processing, including the profiling of personal data in order to  access creditworthiness and analyse credit risk.

Employers are allowed to process employees' biometric data where necessary to ensure control over access to particularly important information or to premises requiring special protection.

In addition, a person who will be processing special categories of employees' personal data should be granted a written authorization to do so, and must be obligated to maintain confidentiality.

Rules relating to notification of the DPO to the UODO.

The ASA introduces the institution of a deputy DPO, who can act in the absence of the DPO. The same notification requirements apply when designating a deputy DPO.

If a group level DPO is appointed and the DPO function is meant to cover Poland as well, then the global DPO must be notified to the UODO.

Additionally, a company that designates a DPO is obliged to publish the DPO's contact details, including their name, surname, email address or phone number on its website or, in the absence of a website, in a manner generally accessible at its place of business.

n/a

Other: