Guide on how Poland is incorporating the General Data Protection Regulation (GDPR) into its national laws

Guide on how Poland is incorporating the General Data Protection Regulation (GDPR) into its national laws

Poland's GDPR Compliance and Data Protection Regulations

Poland has fully implemented the General Data Protection Regulation (GDPR) as part of its data protection framework, overseen by the Polish Data Protection Authority (UODO). Compliance is actively enforced, as evidenced by recent significant fines, such as the €3.89 million penalty imposed on McDonald's Poland for serious GDPR violations [1].

Sensitive Personal Data and Data Relating to Criminal Convictions

Poland adheres to GDPR provisions with additional national rules regarding the processing of sensitive personal data and data relating to criminal convictions. While such data is not classified as "sensitive data" under GDPR, it is subject to special restrictions and can only be processed under strict conditions provided by law [2].

The Personal Data Protection Act limits certain GDPR obligations and sets particular conditions for processing sensitive categories of data, including limitations on informing data subjects in some cases [2]. Employment-related data processing is further regulated by the Polish Labour Code and related employment laws, providing additional safeguards [2].

Data Protection Impact Assessments (DPIAs)

DPIAs are required per GDPR rules, with enforcement by the Polish Data Protection Authority. Non-compliance can lead to significant penalties [1][2].

Specific Regulations

CCTV must not be used to monitor rooms made available to trade unions. It must not be used to monitor sanitary rooms, locker rooms, canteens, and smoking areas, unless the use of monitoring in those rooms is necessary to fulfil the objectives specified and does not violate the dignity and other personal rights of employees [3].

The State Fire Service is authorized to process personal data, including data relating to criminal convictions and offences, for the purpose of recruitment to the State Fire Service, including following the end of the period of service of firefighters [4].

Employers may process data acquired through email monitoring systems (or other monitoring systems) only for the purpose of ensuring the proper functioning of an organization, including the full use of the working time and the proper use of the work tools made available to the employee [5].

Legislation

The Act of 10 May 2018 on the Protection of Personal Data and the Act of 21 February 2019 on the amendments of some legal acts in connection with the implementation of the GDPR are the relevant legislation [6].

Enforcement and Appeals

The DPA has issued guidance on GDPR compliance for various sectors, including electoral campaigns, educational institutions, understanding the risk-based approach, and GDPR compliance for employers [7]. The DPA may publish its decisions in the Public Information Bulletin if it is justified by the public interest [8].

A decision of the DPA may be appealed to the lower administrative court, most decisions of which may be further appealed to the higher administrative court [9]. The DPA has taken enforcement action, including imposing fines for breaches of the GDPR [10].

Consent

All sensitive personal data can be processed if the data subject's valid consent has been obtained [2]. The consent of an employee or applicant may serve as a basis for processing other personal data, excluding personal data relating to criminal convictions and offences [11].

Other Regulations

There are no specific rules governing the processing of personal data of deceased persons [12]. There are no current legal challenges ongoing regarding the validity or operation of the national GDPR implementation law [1].

For more information, visit the UODO's website at uodo.gov.pl or contact them at their address: ul. Stawki 2, 00-193 Warsaw, Poland.

[1] McDonald's Poland Fined €3.89 Million for GDPR Violations

[2] GDPR and Poland: Sensitive Data Processing

[3] GDPR and Poland: CCTV Regulations

[4] State Fire Service Data Processing Regulations

[5] Email Monitoring and Other Monitoring Systems Regulations

[6] Relevant Polish Data Protection Legislation

[7] UODO Guidance on GDPR Compliance

[8] UODO Decision Publication Policy

[9] Polish Administrative Court System

[10] UODO Enforcement Actions

[11] Consent for Processing Personal Data in Poland

[12] Personal Data of Deceased Persons in Poland

1. White & Case, an international law firm, offers comprehensive legal services, including regulatory advice for data protection practices in Poland, adhering to the EU General Data Protection Regulation (GDPR) and the national data protection framework.
2. White & Case, in their science and technology sector, provides insightful publications on GDPR compliance, such as the regulation of sensitive personal data processing in Poland.
3. White & Case, through its partners, offers news and updates on data protection events in Poland, like the UODO's guidance on GDPR compliance for various sectors, including employers and educational institutions.
4. If you need assistance with your GDPR compliance and international regulatory matters in Poland, you can reach out to White & Case's Warsaw office for expert legal advice.
5. White & Case's publications also cover specific regulations in Poland, such as the rules governing the use of CCTV, state fire service data processing, email monitoring, and other monitoring systems.
6. For the most recent decisions and updates from the Polish Data Protection Authority (UODO), you can refer to White & Case's publications on UODO enforcement actions and decision publication policy.
7. In case of appeal against a decision of the UODO, White & Case can provide guidance on navigating the Polish administrative court system, which consists of the lower administrative court and the higher administrative court.
8. White & Case's regulatory experts can help you understand the consent requirements for processing sensitive personal data in Poland, as well as the national rules regarding the processing of data relating to criminal convictions.
9. If you require assistance with intellectual property law, data protection, or any other legal matters, visit White & Case's website at whitecase.com to connect with their team of dedicated legal professionals.

Read also: