Poland

CHART INSTRUCTIONS:

 Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.

name

Ustawa z dnia 10 maja 2018 r. o ochronie danych osobowych

Status: Adopted

SME EXCEPTION

No Deviation

LAWFULNESS OF PROCESSING (ART 6)

No Deviation

CCTV

ADDITIONAL REQUIREMENT:

  1. Employee CCTV Monitoring:

    1. General Scope and Purposes: The Polish Act modifies the Polish Labor Code in terms of employee monitoring through CCTV and sets forth that this is legitimate when this is done for security purposes (to protect company premises or confidential information) (Art 111 Polish Act).

    2. Exception: CCTV recording may not cover sanitary rooms, cloak rooms, company lunch rooms, and smoking areas unless under specific safeguards (the employees recorded must be unrecognizable).

    3. Retention Period: The CCTV recordings shall be processed solely for security purposes and not stored for a period exceeding three months, except when recordings are used in judicial proceedings. In such case, recordings may be kept until the end of such proceedings.

    4. Notice: The employer is required to provide notice to the employees about CCTV monitoring, except when it is covered by a collective labor agreement (in which case notice may be given there). Notice must be given no later than one day before the launch of CCTV monitoring and may be done in the form of appropriate signage or sound notices indicating which area is being monitored.

  2. CCTV Monitoring in Public Places:

    1. General Scope and Purposes: Municipalities may install CCTV monitoring for security purposes in public areas (including in and around public buildings) (Art 114 Polish Act).

    2. Exception: CCTV recording may not cover sanitary rooms, cloak rooms, company lunch rooms, social facilities, and smoking areas.

    3. Retention Period: The CCTV recordings shall be processed solely for security purposes and not stored for a period exceeding three months, except when recordings are stored on explicit legal basis.

    4. Notice: Notice shall be provided by appropriate signage.

EMPLOYEE EMAIL MONITORING

ADDITIONAL REQUIREMENT:
General Scope and Purposes:
An employer may conduct email monitoring of its employees to the extent this is necessary to verify work performance and proper use of company IT devices (Art 111 Polish Act). Email monitoring cannot violate the secrecy of correspondence.

CHILD'S CONSENT (ART 8)

No Deviation

SENSITIVE DATA (GENETIC, BIOMETRIC AND HEALTH DATA) (ART 9 (4))

No Deviation

CRIMINAL CONVICTIONS/SECURITY MEASURES (ART 10)

No Deviation

INFORMATION OBLIGATION (ART 13 & 14)

No Deviation

AUTOMATED INDIVIDUAL DECISION-MAKING (ART 22)

No Deviation

RESTRICTIONS TO DATA SUBJECT'S RIGHTS (ART 23)

DEVIATING REQUIREMENT:
Right of Access and Information:
The data controller that is exercising a task in the public interest does not need to disclose information regarding further processing purposes when this is necessary to comply with the task of public interest or when this is necessary to protect confidential information (Art 3 Polish Act).

JOINT CONTROLLER RESPONSIBILITIES (ART 26 (1))

No Deviation

AD HOC NOTIFICATIONS - RECORDS OF PROCESSING ACTIVITIES (ART 30)

No Deviation

SECURITY OF PROCESSING (ART 32)

No Deviation

DATA BREACH (ART 33 & 34)

No Deviation

DATA PROTECTION IMPACT ASSESSMENTS (ART 35)

No Deviation

DATA PROTECTION OFFICER (ART 37(4))

SPECIFYING REQUIREMENT:

  1. Definition of “Public Authority”: “Public authorities” required to appoint a DPO are defined as units of the public finance sector, research institutes, and the National Bank of Poland (Art 9 Polish Act).

  2. Notification Procedure: The appointed DPO, with relevant contact details, must be announced (in electronic form) to the Polish supervisory authority within 14 days following appointment. In the same manner, the data controller must notify the SA within 14 days of any change in appointment of the DPO (Art 10 Polish Act).

CERTIFICATION (ART 42)

SPECIFYING REQUIREMENT:

  1. Application for Certification: Applications for certification must contain at least the contact details of the entity wishing to apply for certification, motivation of compliance with certification criteria, and indication of the scope of the requested certification (Art 17 Polish Act). The SA must examine the application within three months after submission of the application (Art 18 Polish Act).

  2. Inspection: The SA is competent to carry out inspection activities to verify compliance with a granted certificate (Art 24–25 Polish Act).

DATA TRANSFER DEROGATIONS (ART 49(5))

No Deviation

POWERS SUPERVISORY AUTHORITIES (ART 58)

SPECIFYING REQUIREMENT:

  1. Procedure: The procedure before the Polish supervisory authority is considered an administrative procedure that only accommodates first-instance proceedings (no appeal procedure shall be held before the SA). Appeal against a decision of the supervisory authority must be filed with the competent administrative courts. A translation into Polish may be requested from the applicant (Art 7 and 63 Polish Act).
  2. Restrictions on Processing: The SA may restrict a processing activity if it is probable that the processing concerned is a violation of the Polish Act and a restriction is necessary to prevent further harm during proceedings preceding a decision on a potential violation. A restriction may only be imposed to the extent necessary and must allow an acceptable level of processing. A restriction must be limited in time and must end at the latest at the date a decision is taken on a potential violation (Art 70 Polish Act).
  3. Preliminary Question to the Polish Administrative Court: If, during proceedings before the supervisory authority, the SA determines that there are reasonable doubts about one of the following decisions of the EU Commission, it can decide to file a request with the Polish Administrative Courts for clarification: (1) decisions on (approved) codes of conduct; (2) adequacy decisions (granting or withdrawals); and (3) standard contractual clauses (Art 71 Polish Act).
  4. Cooperation with Other SAs: The Polish SA may impose a provisional penalty if there is a lack of (timely) cooperation from another SA. When doing so, it shall determine the term during which such measure is valid (Art 75 Polish Act).
  5. Audits:
    1. Audits: Audits/inspections may be carried out from 6AM to 10PM each day. Auditors may be assisted by experts or by police force when necessary (Art 84–85 Polish Act).
    2. Exclusion for Auditors: Specific members of the SA conducting investigations or audits in the preparation of regulatory proceedings may be excluded if they cannot be considered impartial, for instance if audits can result in benefits to him/her or to his/her spouse, cohabitants, and persons related to the auditor in the second or third degree (Art 80 Polish Act). Any audits/inspections must be carried out upon presentation of a personal authorization document along with a service card and/or a document confirming the auditor’s identity. The personal authorization document confirms the legal basis for inspection, the scope of inspection, and the identity of the auditor (Art 81 Polish Act).

CLASS ACTIONS (ART 80 (2))

No Deviation

CIVIL LIABILITY (ART 82)

DEVIATING REQUIREMENT:

Proceedings: When administrative proceedings are pending and civil proceedings are initiated, the civil court shall stay civil proceedings to the extent administrative proceedings were already initiated before the start of civil proceedings (Art 95 Polish Act). A final decision issued by the SA in administrative proceedings is binding upon the court ruling in civil proceedings (Art 97 Polish Act).

ADMINISTRATIVE SANCTIONS (ART 83)

ADDITIONAL REQUIREMENT:

  1. Conversion to PLN: The equivalent of the amounts expressed in EUR shall apply converted into PLN based on the average EUR exchange rate as set forth by the National Bank of Poland (Art 103 Polish Act).

  2. Specific Maximum Fine for Public Bodies: The following three public bodies are excluded from the maximum administrative fines set forth by the GDPR and can solely be subject to a maximum fine of 100,000 PLN: (1) the public finance sector; (2) research institutes; and (3) the National Bank of Poland (Art 102 Polish Act).

  3. Deadline: An administrative fine is payable within 14 days from the day of the administrative decision (Art 105 Polish Act). After this deadline, interest may apply.

PENALTIES (ART 84)

DEVIATING REQUIREMENT:
Imprisonment:
The Polish Act imposes imprisonment of up to two years as alternative penalties to the administrative fine (with maximum imprisonment of up to three years if the processing activity involves sensitive data) (Art 107 Polish Act).

FREEDOM OF EXPRESSION AND INFORMATION (ART 85)

No Deviation

HR PROCESSING (ART 88)

No Deviation

PROCESSING FOR ARCHIVING, SCIENTIFIC, HISTORICAL RESEARCH, OR STATISTICAL PURPOSES (ART 89)

No Deviation

OBLIGATIONS OF SECRECY (ART 90)

ADDITIONAL REQUIREMENT:
Members of the Supervisory Authority: The president, the deputy president, and other members of the SA are bound to confidentiality of all information disclosed to them in the performance of their official duties (Art 46 Polish Act). This confidentiality obligation continues after termination of employment with the SA.

Procedure: Documents covered by trade secrets may be filed in redacted from with the supervisory authority in the context of proceedings before the SA. The company must also submit the documents concerned in nonredacted format; however, redaction shall be respected when documents are solicited by other SAs or other official bodies (Art 65 Polish Act).

LOCAL DPA GUIDANCE & LEGAL SOURCES