Poland Issues Data Protection Act ahead of GDPR Introduction

The Polish Government published draft provisions for the new Data Protection Act that aims to bring the country’s legal framework at par with the forthcoming EU General Data Protection Regulation (GDPR).

The significant changes that the draft seeks to introduce, concerns proceedings conducted by the Polish Data Protection Authority (PDPA). These changes are aimed at creating effective legal structures that will accompany the introduction of GDPR in Poland.

Underage Consent to Data Processing

Children under the age of 13 who live in Poland won’t be allowed to consent to data processing without a prior consent of a legal representative. Alternatively, the law permits such a child to consent to data processing on the condition that it is immediately followed by a confirmation from a legal representative. Participation of a legal representative in matters related to the provision of electronic services to children is, therefore, a must.

GDPR Compliance Certificate

The new EU legislation provides for means of establishing certification mechanisms that can attest to the consistency of data processing with the EU law. In the PDPA draft, compliance certificate will be granted by the President of the Office for the Protection of Personal Data. The President of the Office will confirm if an entity satisfies the requirements for holding a certificate.

President of the Office for the Protection of Personal Data

The President of the Office will execute his/her duties assisted by three deputies. In addition, he/she will get support from the Council for the Protection of Personal Data which serves as the consultative and regulatory body.

Infringement Proceedings

The PDPA outlines the regulations of conduct for the violations of the provisions of the data protection law. The Draft provides several possibilities. They include the possibility of requesting social organizations dealing with personal data protection to participate in the proceedings. The draft will allow the possibility of submitting documents written in a foreign language. However, the President of the Office can request for Polish translated version. The Draft also provides the possibility of keeping the documents handed over to the President of the Office confidential. The President of the Office though has powers to waive that reservation.

The President of the Office will have the authority to possibly limit the right of access to the evidence as a result of the possibility to reveal business secrets. The Draft also states that the culprit may possibly be required to limit processing of data when there is a pending case of data protection regulation infringement against them.


The President of Office will be mandated to conduct inspections on compliance with the regulations. The inspections will be carried out based on obtained information or analysis report. An inspection may not take more than one month. Based on the inspection report, if the President of the Office feels that data protection rule might have been violated, he/she is obligated to initiate disciplinary proceedings against culpable individuals. The President of the Office is required by law to inform law enforcement authorities in such cases.

Civil Liability

An individual may demand the termination of a process if they feel their rights under Personal Data Protection Act have been breached. In addition, the Draft Law requires the infringer to initiate appropriate actions to remove the effects. The regional court will be mandated to hear such cases. The court will coordinate with the President of the Office on several issues once a case is filed.

 Financial Penalties

The President of the Office will have the authority to impose administrative fines outlined in GDPR. The penalty will depend on the type of violation and go up to €20 million or 4% of total annual global revenue, or up to €10 million or 2% of the global turnover, whichever is the greater amount. Clearance of financial penalties will be within 14 days from the date of the court ruling.

Criminal Provisions

The PDPA draft imposes a fine for an individual who obstructs inspection on compliance. In addition, it has a provision for a penalty of liberty restriction or imprisonment for up to a year for processing sensitive data without consent.

Changes to the Labor Code

The PDPA draft introduces changes to several Sectoral Laws. They include Public Roads Act, Labor Code, Electronic Services Act, Telecommunication Act, Banking Act and Payment Service Act. Some of the changes proposed to the Labor Code include processing of the candidate or employee’s data by the employer different from the one indicated in the Labor Code based on consent. Employees’ biometric data will be processed based on consent as well. The draft also forbids negative treatments on the employee or candidate when they refuse to give consent to data processing. Processing categories of data such as addiction, health status, sexual orientation or sexuality are not allowed even when consent is given.

Transitional Provisions

The draft introduces a number of transitional provisions to facilitate smooth alignment of the Polish law to the EU GDPR. These provisions create Data Protection Officer (DPO) and Transfer under BCR. Individuals who will work as information security administrator will function as DPO until 1 September 2018. A controller who serves to transfer personal data to third country under BCR is entitled to continue for not more than 12 months from the date when the amendment act takes effect.