Stage of legislative progress 
Eg. pre-consultation, in consultation

The Personal Data Protection Act (PDPA) is in force. The draft of the Act on Changes to the Sectoral Acts (ASA) is still being consulted at the government level.

Approach to implementation 
Eg. amendments to existing law, total repeal of old laws

Current Data Protection Law will be repealed and replaced by PDPA. The Inspector General for Personal Data Protection (GIODO) will be replaced by the President of the Personal Data Protection (PUODO). ASA will introduce amendments to the existing sectoral acts.

Timescale for implementation 
Eg. pre-consultation, in consultation

The PDPA becomes law on 25 May 2018. It is uncertain when ASA will become the law, it is highly possible that it happens in the autumn 2018.

Areas where Member States must have local laws:

Personal data and freedom of expression 

PDPA provides that some provisions of GDPR will not apply where personal data is processed for journalistic purposes or for the purposes of academic, artistic or literary expressions.


PDPA provides two criminal sanctions for: (i) unpermitted and unauthorized processing, and (ii) in case of jeopardizing or impeding the GIODO's inspection.

Areas where Member States may have local laws:

Professional secrecy 

PUODO's right of access to information and personal data will be limited by professional secrets.

Scientific, historical or statistical purposes 



Employers are obliged to request from job candidates and employees an exhaustive list of data categories set out in the Labour Code; if they want to collect more data directly from job candidates and employees, then consent is required, unless there is a special provision of law that entities to process this data (e.g. some criminal convictions of the management board members).

Employees may use (i) CCTV for the purpose of ensuring employees' security, protection of employer's property, production control, and information security; and (ii) monitor employees' emails for the purpose of ensuring appropriate work organization which allows for making full use of employees' working hours and appropriate usage of the working tools made available to them.

Personal data of deceased persons 


Children online

Expect new legislation to decrease to 13.

Special rules for special categories of data

Genetic, biometric or health data

(i) employers are allowed to process biometric data of employees if necessary to ensure access control to particularly important information or access control to the premises requiring special protection, (ii) banks/ payment service providers are allowed to process client's biometric data in order to verify their identity or authenticate their activities, upon receiving their explicit consent.

Designation of a Data Protection Officer

No special requirements. Only rules related to notification of DPO to PUODO.

National identification numbers/any other identifier of general application



Any other areas under discussion
PDPA provides an administrative and a civil procedure for data subjects to pursue their rights.