New Data Protection and Personal Privacy Law in Poland

Poland’s Act of 10 May 2018 on the Protection of Personal Data is a data privacy law that was passed in 2018. Act of 10 May 2018 on the Protection of Personal Data was enacted for the purposes of implementing the provisions of the General Data Protection Regulation or GDPR into Polish law, in accordance with provisions of the EU’s GDPR law that allow for member states to pass their own legislation for the purposes of strengthening the protection offered by said regulation. To this point, the Act of 10 May 2018 on the Protection of Personal Data sets forth the legal framework that must be followed when collecting and processing personal data within Poland, as well as the penalties that individuals and organizations stand to face should they fail to comply with this legal framework.

What are the differences between Poland’s Act of 10 May 2018 on the Protection of Personal Data and the EU’s GDPR law?

In terms of the differences between Poland’s Act of 10 May 2018 on the Protection of Personal Data and the EU’s GDPR law, the two laws are largely identical to one another, with some minor exceptions. For example, both laws place similar restrictions on data controllers and processors, and also provide similar rights to data subjects. However, the two laws do vary as it concerns the appointment of a data protection officer, or DPO for short. As stated in the law, “the Act introduces an obligation to notify the Polish data protection authority (UODO) about the designation of a DPO within 14 days following the appointment or of any changes to the DPO. Moreover, a company that designates a DPO is obliged to publish the DPO’s contact details, including name, surname, email address, and phone number on its website (or, in the absence of a website, in a manner generally accessible at its place of business).”

Alternatively, the two laws also differ from one another as it relates to the retention of personal data that is collected and processed. Within Poland, “there are several statutory minimum or maximum retention periods set out by law.” Conversely, there are also instances where a particular data retention period must be decided in accordance with the EU’s GDPR law’s storage imitation principle, which mandates that personal data that is collected or processed for a particular purpose may not be retained for any period of time longer than is needed to fulfill the said purpose. Subsequently, some examples of retention periods that are set forth in Poland’s Act of 10 May 2018 on the Protection of Personal Data include:

• Employee documentation for 10 to 50 years (depending on the particular circumstances);
• Accidents and injury at work documentation for 10 years from making the files;
• Employee CCTV recordings for three months from the date of recording (if the recorded event is subject to further proceedings, as long as the event is fully explained); and
• Tax documentation for five years from the end of the calendar year in which tax payment was due.

What are the rights of Polish citizens under Poland’s Act of 10 May 2018 on the Protection of Personal Data?

The rights of Polish citizens under Poland’s Act of 10 May 2018 on the Protection of Personal Data are largely the same as the data protection and personal privacy rights that are extended to citizens residing within other EU member states. Such rights include but are not limited to the right to be informed, the right to access, the right to object or opt-out of data processing activities, and the right to data portability. However, Poland’s Act of 10 May 2018 on the Protection of Personal Data does vary from the EU’s GDPR law as it pertains to the exceptions concerning these rights. For example, as it concerns the right to rectification, “personal data processing in relation to journalistic, artistic, or literary activity, Article 16 of the GDPR does not apply.”

In terms of the enforcement of Poland’s Act of 10 May 2018 on the Protection of Personal Data, the provisions of the law are enforced by the Polish data protection authority, or the UODO for short. As such, the UODO has the authority to impose a variety of fines and penalties against data controllers and processors within Poland who fail to comply with the law. Such sanctions include monetary fines of up to PLN 100,000 ($25,119) for public bodies within the country, as well as a monetary fine of up to PLN 10,000 ($2,511) for other entities. What’s more, data controllers and processors also face fines ranging from €10 million or up to 2% of the total global annual turnover for a business’s previous financial year, whichever amount is higher, to a fine of up to €20 million or up to 4% of the total global annual turnover for a business’s previous financial year, whichever amount is higher.

As the passing of Poland’s Act of 10 May 2018 on the Protection of Personal Data effectively implemented the provisions of the EU’s GDPR law into Polish law, Poland was able to guarantee the data privacy rights of their respective citizens. Through the penalties that can be imposed by the UODO in accordance with both laws, data controllers and processors within the country face steep fines should they fail to comply with the provisions set forth in any shape or form. As such, Polish citizens can have the assurance and peace of mind that they can pursue multiple avenues of recourse should their data protection or personal privacy rights be infringed upon for any reason.