Data Advocacy for Poland
As a member of European Union, Poland implemented EU Data Protection Directive 95/46/ EC in the Personal Data Protection Act of 29 August 1997 (consolidated text: Journal of laws of 2016, item 922 , hereinafter referred to as the “PDPA”). To the extent relating to the processing of personal data by providers of publicly available telecommunications services, a number of provisions of the Telecommunications Act of 16 July 2004 (consolidated text: Journal of laws 2016, item 1489, hereinafter referred to as the “Telecommunications Act”) are applicable. In addition, a number of sector-specific statutes relating to, among others, employment and banking also contain specific regulations on the processing of personal data.
Law Applicable:
The processing of Personal Data in Poland is regulated by the Law on the Protection of Personal Data (“PPD”) of August 29, 1997 (as amended), and the Ordinance of the Minister of Internal Affairs and Administration of April 29, 2004, specifying the required documentation for processing Personal Data and the technical and organizational requirements which should be fulfilled by equipment and computer systems used for processing Personal Data.
Furthermore, the Minister of Administration is working on an ordinance specifying the tasks of Data Protection Officers, which should enter into force later this year. In general, the PPD implements the provisions of the EU Data Protection Directive (95/46/EC).
The PPD applies to the processing of Personal Data in files, indices, books, lists and other registers, as well as those contained in computer systems (even if they do not constitute a data filing system).
With regard to the collection of Personal Data which is compiled on a short- term basis exclusively for technical or training purposes or in connection with teaching purposes in schools of higher education, and which, upon being used is immediately removed or treated so as to make them anonymous, only limited provisions of the PPD apply, in particular those related to security requirements.
Apart from the PPD, several other statutes provide specific provisions regarding Personal Data protection, e.g., the Act on Providing Services through Electronic Means. In addition, Article 173 of the Telecommunication Law refers to the use of cookies.
The Inspector General for the Protection of Personal Data (hereinafter referred to as the “Inspector General”)
(Polish: Generalny Inspektor Ochrony Danych Osobowych)
Contact information:
(Office of the Inspector General for the Protection of Personal Data)
Biuro Generalnego Inspektora Ochrony Danych Osobowych
Stawki 2
00-193 Warsaw, Poland
T (22) 531 03 00 F (22) 531 03 01
The Office of the Inspector General is open from Monday to Friday from 8 am to 4 pm.
The Bulgarian data protection authority (DPA) is the Personal Data Protection Commission (In Bulgarian:).
2 Professor Tsvetan Lazarov, Sofia 1592
Bulgaria
www.cpdp.bg
A data controller is not obliged to appoint a data protection officer. However, if a data protection officer is appointed and registered with the Inspector General, the data controller is not obliged to register a data filing system with the Inspector
General provided that the data processed are non-sensitive. The data protection officer is not explicitly required to be a citizen or resident of Poland, but he/she must (i) have full capacity to perform legal acts and enjoy full civil rights; (ii) have relevant knowledge in the field of personal data protection; and (iii) not have been punished for an intentional offence.
The scope of the data protection officer’s duties is specified in the PDPA. According to the PDPA, a data protection officer is obliged to:
- ensure compliance with provisions on the protection of personal data, in particular to:
- check compliance of personal data processing with the provisions on the protection of personal data and prepare a report in this regard for the data controller
- supervise the development and updating of the security policy and the computer system management instruction and ensure compliance with the principles specified in these documents
- ensure that the persons authorised to process personal data become acquainted with provisions on the protection of personal data
- keep a register of data filing systems processed by a data controller (subject to the exceptions set out in the PDPA) whereby the register must contain the name of the data filing system and certain information required for notifying the data filing system set out in the PDPA, and
- comply with a request from the Inspector General to carry out an inspection regarding the data controller’s compliance with provisions on the protection of personal data, indicating the scope and date of the inspection.
The data controller is obliged to ensure that the data protection officer has adequate resources and is organisationally autonomous and that he reports directly to the head of the organisational unit (which is usually the management board or chairman of the board) or to an individual who is the data controller.
The procedure for the notification of the appointment and removal of a data protection officer by a data controller is formalised and notification should be made to the Inspector General within 30 days of the appointment or removal of a data protection officer.
If a data controller decides not to appoint a data protection officer, the duties of the data protection officer are performed by the data controller itself, except for the obligation to prepare reports on the compliance with provisions on the protection of personal data. In such a situation, the data controller does not keep a register of data filing systems, but it is obliged to register data filing systems with the Inspector General, unless the PDPA provides for an exemption from this obligation (e.g. if the processing is related to the data controller’s employment-related activity).
General and conditions
In Poland, organizations may appoint a Data Protection Officer. The appointment is voluntary. The Data Protection Officer must fulfill the following conditions:
- have full legal capacity and full public rights;
- have no criminal record for intentional crimes; and
- have sufficient knowledge of Personal Data protection.
The appointment and the recalling of the Data Protection Officer should be notified to GIODO.
Tasks
The tasks of the Data Protection Officer include:
- ensuring compliance with the provisions on processing Personal Data in the organization;
- preparing periodic and ad hoc (special) reports for the Data Controller;
- supervising the preparation and update of documentation on Personal Data processing and compliance with the rules provided in this documentation;
- ensuring that the persons authorized to process Personal Data are familiar with the data protection laws; and
- keeping a publicly available register of the databases held by the Data Controller.
Legal Position
The Data Protection Officer must answer directly to the “head of organizational unit” or the natural person who acts as the Data Controller. The Data Controller must create the conditions and “separation within its organization” necessary for the independent exercise of tasks by the Data Protection Officer.
There is no requirement in the PDPA to notify data security breaches or losses of data to the Inspector General or to data subjects. However, pursuant to the Telecommunications Act, the provider of telecommunications services is obliged to immediately, but not later than within 3 days of learning about a data breach, notify the Inspector General about such a data breach. In the event that a data breach could have a negative impact on the rights of a subscriber or end user being an individual, the service provider should immediately, but not later than within 3 days of learning about the data breach, also inform the subscriber or end user (in addition to informing the Inspector General) about this breach.
Under the Telecommunications Act, a personal data breach is any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data processed in connection with the provision of publicly available telecommunications services by a telecommunications provider. A personal data breach which may have an adverse effect on the rights of a subscriber or end user being an individual means a breach which, in particular, may result in unauthorised use of personal data, damage to property, harm caused to personal interests, or disclosure of a bank secret or other professional secret protected by law.
It is not required to notify the Inspector General if the provider of publicly available telecommunications services (acting as a data controller) has implemented appropriate technical and organisational protection measures provided for in the PDPA that prevent the reading of data by unauthorised persons and has applied those measures to the data whose protection has been breached (e.g. anonymization of personal data).
If the provider of publicly available telecommunications services fails to notify a subscriber or an end user being an individual of a personal data breach, the Inspector General may impose on the provider, by means of an administrative decision, an obligation to notify subscribers or end users about that breach, taking into account the potential adverse effect thereof.
In general, there is no legal obligation under the PPD to provide notice of a data security breach. Exception applies to the providers of publicly available telecommunication services, which must inform GIODO about security breaches no later than within three days. The Data Protection Officer usually keeps records of data security breaches, which identify and describe the breach and the measures taken to address the breach (e.g., remedies implemented to prevent future breaches). In case of an audit, such records should be produced to the GIODO. Furthermore, organizations that are involved in data breach situations are required to: (i) gather information about the breach; (ii) assess the potential risk of harm to Data Subjects; (iii) take steps to mitigate the harm to impacted Data Subjects; (iv) take steps to contain the breach and to prevent future similar breaches; and (v) assist authorities with any investigation relating to the breach.
An organization that is involved in a data breach situation may be subject to closure or cancellation of the file, register or database, civil actions, and/or criminal prosecution.
Opt-in regime: no direct marketing electronic mail can be legally sent without the express consent of the receiver, unless a pre-existing business or commercial relationship exists. (Consent is however not mandated for marketing to legal persons.)
Also, a specific opt out must be offered with each message. Disguised sender identities are prohibited, and a valid return address must be provided.
The term “Opt-Out Rule” means that the sending of e-marketing to the recipient is permitted on an opt-out basis if:
- the recipient’s details were originally collected “in the context of a sale”.
- the entity sending the marketing is the same legal entity that collected the recipient’s details initially.
- the marketing relates to “similar” products and/or services for which the recipient’s details were originally obtained.
- the recipient is given the opportunity free of charge to object to the e-marketing, both at the time their details were collected and in each subsequent communication.
Applicable Legislation:
Act on Personal Data Protection (‘PDP’)
Act on e-Services (‘e-Services’)
Telecommunications Law (‘Telco’)
First party e-marketing
(entity that collects the data will send the e-marketing itself)
B2C: Opt-in
B2B: Opt-in.
Third party e-marketing
(entity that collects the data will share with third party partner for e-marketing)
B2C: Opt-in
B2B: Opt-in.
wp.pl 3037423
interia.pl 2918458
o2.pl 1483550
op.pl 875315
tlen.pl 450727
vp.pl 396541
poczta.onet.pl 315369
onet.pl 245553
buziaczek.pl 210468
gazeta.pl 102955
amorki.pl 88347
autograf.pl 72431
go2.pl 57458
yahoo.pl 46917
neostrada.pl 46380
email.pl 32953
spoko.pl 20612
poczta.pl 17804
pw.pl 17556
prokonto.pl 14944
orange.pl 12185
gg.pl 11881
02.pl 8463
tenbit.pl 6681
onet.com.pl 6313
plusnet.pl 5762
vip.onet.pl 5670
gmail.pl 5200
fotka.pl 5006
post.pl 4802
inmail.pl 4587
10g.pl 4371
chello.pl 4018
konto.pl 3846
opoczta.pl 3464
aol.pl 3422
koszmail.pl 3317
aster.pl 3301
toya.net.pl 3279
pino.pl 3266
os.pl 2989
epf.pl 2926
republika.pl 2867
znajomi.pl 2857
poczta.wp.pl 2780
dwa.wiadomosc.pisz.pl 2398
hot.pl 2086
mtv.pl 1814
pro.onet.pl 1790
bonyko.zagan.pl 1750
icpnet.pl 1649
com.pl 1603
ucutev.lezajsk.pl 1587
telekomunikacja.pl 1565
gufihyv.wolomin.pl 1527
magosa.pl 1485
ubaz.olawa.pl 1450
go.pl 1403
fawyqicuhyz.zagan.pl 1365
alokowu.stalowa-wola.pl 1360
nonoruwexa.kepno.pl 1357
upcpoczta.pl 1353
rawosax.sejny.pl 1350
bixupexuwoc.ostrowwlkp.pl 1342
vovitaxa.lowicz.pl 1333
notowany.pl 1297
ymycoguhibo.pruszkow.pl 1288
yjecabimof.slupsk.pl 1283
poczta.neostrada.pl 1281
lumucoq.swinoujscie.pl 1270
onet.poczta.pl 1257
mixbox.pl 1256
jalif.bedzin.pl 1198
imepy.suwalki.pl 1197
eranet.pl 1185
home.pl 1183
icom.grajewo.pl 1181
wkime.pl 1175
gery.pl 1168
ckatalog.pl 1166
vykowy.ustka.pl 1164
fejm.pl 1124
koszulki-swiat.pl 1080
xl.wp.pl 1070
konin.lm.pl 1069
kozacki.pl 1055
mailplus.pl 1046
ee2.pl 1039
zixiveto.bielawa.pl 1026
data.pl 1026
ajakip0.mil.pl 1025
ocaxyhidodo.kolobrzeg.pl 1023
czat.onet.pl 1003
mawpinkow.konin.pl 985
cmoki.pl 910
jadamspam.pl 908
mp.pl 907
wowin.pl 895
szeptem.pl 892
uj.edu.pl 867
areno8.mil.pl 852
mailmix.pl 839
mail4biz.pl 834
linki321.pl 819
amu.edu.pl 810
sgh.waw.pl 808
inalih.mragowo.pl 801
uniwersytetdzieci.pl 794
wo.pl 786
o3.pl 757
migmail.pl 749
mosteller.agnestorebki.pl 738
pwr.wroc.pl 733
eqaluv.mazowsze.pl 729
bazosy.polkowice.pl 727
berube.suwalki.pl 709
acn.waw.pl 707
yrimuheg.jgora.pl 701
inoeria.pl 697
wamyze.bydgoszcz.pl 688
mail2.waw.pl 684
simplusnet.pl 680
cumosumiw.wegrow.pl 671
deremet.olkusz.pl 670
po.pl 659
ebyvefo.pisz.pl 659
hoga.pl 658
taraxasi.augustow.pl 654
niepodam.pl 653
pf.pl 652
aqowore.wloclawek.pl 651
olovig.kobierzyce.pl 649
dobramama.pl 646
boo.pl 642
idibymejedu.slupsk.pl 641
interklasa.pl 625
dobrytata.pl 622
romantyczka.pl 619
era.pl 618
mail-s01.pl 614
bzwbk.pl 610
agencjaatrakcji.pl 607
list.pl 603
mm.pl 601
amurodeba.karpacz.pl 593
lylilupuzy.pl 592
centertel.pl 590
mail4biz.sejny.pl 587
adres.pl 578
intera.pl 577
tvn.pl 574
ineria.pl 571
uznam.net.pl 567
va.pl 559
kidalylose.pl 527
elisione.pl 521
kn.pl 518
life.pl 516
polsl.pl 515
wiadomosc.pisz.pl 502
interi.pl 502
poh.osa.pl 499
zutesoja87.slupsk.pl 497
reruj.sosnowiec.pl 496
ojotolej72.zagan.pl 490
tatapeta.pl 489
intria.pl 487
fufuf.bee.pl 484
lykamspam.pl 482
kyjyqet42.kepno.pl 481
xonomufi58.konin.pl 479
bx8.pl 477
inteia.pl 475
nixoneteb.kazimierz-dolny.pl 472
szesc.wiadomosc.pisz.pl 469
piasta.pl 462
gotmail.waw.pl 460
wpl.pl 455
master.pl 455
programtv.edu.pl 453
pkobp.pl 452
mid6mwm.pc.pl 449
iv.pl 449
uk.pl 441
gmail.com.pl 441
tcz.pl 436
boy.pl 433
gyjubusycyti.zagan.pl 431
uw.edu.pl 430
agh.edu.pl 430
akcja.pl 422
yyymail.pl 417
pzu.pl 415
wiqysonyt.nowaruda.pl 410
ocevaxure.lowicz.pl 410
dmfjrgl.turystyka.pl 410
wsb-nlu.edu.pl 405
poczta.pf.pl 404
eu.pl 404
blaise.agencja-csk.pl 403
adebo9.mil.pl 402
pl.pl 399
inetria.pl 395
dmi.345.pl 395
pekao.com.pl 392
polkomtel.com.pl 389
kkredyt.pl 382
agora.pl 380
no-mail.pl 377
gwahtb.pl 371
hehmail.pl 370
chwilowkiionlinebezbik.pl 366
cyf-kr.edu.pl 365
majnmail.pl 359
mail365.pl 357
poczta.interia.pl 356
p2.pl 356
naf.bee.pl 355
vip.wp.pl 354
student.pwr.wroc.pl 353
bfuz8.pl 353
uwm.edu.pl 350
gryonlinew.pl 349
autocom.pl 349
yzabegi.olecko.pl 348
student.uw.edu.pl 347
.wp.pl 346
loopar.osa.pl 346
jawnet.pl 346
hotmail.pl 342
vuwerer.zarow.pl 340
freemail.zgora.pl 340
plus.pl 339
nf38.pl 338
buvalusag.limanowa.pl 336
poczta.gazeta.pl 335
lzs94f5.pl 334
burniawa.pl 333
skrzynka.pl 332
gudeci.bytom.pl 331
tvp.pl 330
iteria.pl 330
asexezus.radom.pl 330
icrr2011symp.pl 328
w7zmjk2g.bij.pl 326
u2.net.pl 326
raiffeisen.pl 325
egygunut.lomza.pl 323
port.allianz.pl 322
buziaczek.onet.pl 321
serwus.pl 320
meresired.warmia.pl 320
primonet.pl 318
megapolis.pl 317
ngowscf.pl 314
2com.pl 314
ecudeju.olkusz.pl 313
yvigegytyme.podlasie.pl 312
kpmg.pl 310
go1.pl 310
emailek.mil.pl 310
dupuwit.zarow.pl 310
fuks.pl 308
apocztaz.com.pl 304
uxygofax.sosnowiec.pl 303
comarch.pl 303
hoqito.lukow.pl 302
gorskie-noclegi.pl 302
st.swps.edu.pl 301
sukozewes.warszawa.pl 299
inea.pl 297
ukivuqarav.radom.pl 294
chlewik.pl 292
yjyxulipisac.szczytno.pl 291
vunubugih.olecko.pl 291
box43.pl 291
ucydocupupu.klodzko.pl 290
lukas.com.pl 290
gggmail.pl 290
2f2tisxv.bij.pl 290
skanska.pl 285
alsfw5.bee.pl 284
609k23.pl 284
xif.pl 282
rq3i7gcp.345.pl 282
kuma.osa.pl 280
poczta.wprost.pl 279
nteria.pl 279
bph.pl 278
amg.gda.pl 277
10minut.com.pl 276
fuqoqafyxe.ostroda.pl 275
ytiqyvatu.olkusz.pl 274
netia.pl 273
k0vaux7h.345.pl 273
bankmillennium.pl 273
6nns09jw.bee.pl 271
ingbank.pl 270
orbis.pl 269
medod6m.pl 269
3ssfif.pl 268
owemolexi.swiebodzin.pl 266
devevale.polkowice.pl 264
0p.pl 264
vip.interia.pl 262
ujuzesyz.swiebodzin.pl 262
vyvowubonal.radom.pl 261
nawumusiq.podlasie.pl 261
jo.pl 260
gu4wecv3.bij.pl 260
amozoqehir.pomorskie.pl 260
go3.pl 259
lpurm5.orge.pl 257
yxuzovutuly.konskowola.pl 256
mail-x91.pl 256
nusidede.karpacz.pl 255
lujasobo.prochowice.pl 255
buziaczki.pl 255
uni.lodz.pl 254
qipilytare.grajewo.pl 253
is.net.pl 252
e-mail.pl 252
2yh6uz.bee.pl 252
tevyqeno.zgorzelec.pl 251
p.lodz.pl 250
kki.net.pl 250
ujugihuv.babia-gora.pl 248
idea.net.pl 248
tyvygufu.ostroleka.pl 247
klos.pl 246
irc.pl 246
inetia.pl 246
orlen.pl 244
duno.pl 244
jycufesaceza.starachowice.pl 243
la5ralo.345.pl 242
asta-net.com.pl 241
rybnet.pl 240
wm.pl 239
usyguwed.legnica.pl 239
rahixyzytu.wlocl.pl 239
ecahetud.mragowo.pl 239
31.pl 239
asd.pl 238
ukyvonaraja.jaworzno.pl 236
klub.chip.pl 234
daly.malbork.pl 233
risivi.karpacz.pl 231
fr.pl 231
world.pl 229
vysyweq.wroclaw.pl 229
pocztaonet.pl 229
uqotygepom.swidnica.pl 227
nik.345.pl 227
punkty.home.pl 226
6elkf86.pl 226
zazelyj.mazowsze.pl 225
us.edu.pl 225
retsat1.com.pl 225
ohi-design.pl 224
r7m8z7.pl 223
qusury.opole.pl 223
nihami.czest.pl 223
we.pl 221
poczta.okay.pl 221
soulfire.pl 220
poczt.onet.pl 220
net.pl 220
mmj.pl 220
lot.pl 218
asunimo.tgory.pl 218
mp3.pl 216
blog-owszystkim.com.pl 216
2o.pl 216
ump.edu.pl 215
cyberia.pl 215
gecejyv.karpacz.pl 214
esculap.pl 214
um.wroc.pl 211
pjwstk.edu.pl 211
ihileweticy.kalisz.pl 210
gumed.edu.pl 210
pg.gda.pl 209
ivoxomefu.ilawa.pl 209
ufawajonu.suwalki.pl 207
tegifehurez.glogow.pl 206
satfilm.net.pl 206
nsm.pl 206
lol.pl 204
ww.pl 203
birl.beardedcollie.pl 203
pro.wp.pl 201
kul.lublin.pl 201
1gb.pl 201
lozuni.czest.pl 200
yandex.pl 198
inteira.pl 198
ee1.pl 198
favubanili.slask.pl 197
xlxe.pl 196
put.poznan.pl 195
echostar.pl 195
xse.vot.pl 194
dupa.pl 194
csk.pl 194
bgz.pl 193
allianz.pl 193
rubikon.pl 192
xelucymyk.pila.pl 191
olen.pl 191
mlodyziemniak.katowice.pl 190
gog.pl 189
dzienzadniem.net.pl 188
caqubi.jelenia-gora.pl 187
bezblednik.pl 186
tufawis.mielec.pl 183
kredytbank.pl 183
umk.pl 182
interja.pl 182
asseco.pl 182
sggw.pl 181
sc-racing.pl 181
inypawan.wielun.pl 181
kki.pl 180
jestemkoniem.com.pl 180
e-mail.net.pl 180
mnc.pl 179
jabster.pl 179
polsat.com.pl 178
brebank.pl 178
aviva.com.pl 178
tennese.bee.pl 177
.o2.pl 177
2p.pl 177
ep.pl 176
vip.pl 175
univ.gda.pl 175
aster.net.pl 175
axelspringer.pl 174
wa.onet.pl 173
promax.media.pl 173
warta.pl 171
podgladaczgoogle.pl 171
elsat.net.pl 171
o1.pl 170
holmes.hekko.pl 169
one.pl 167
pnet.pl 166
diqalaciga.warszawa.pl 165
prog.bee.pl 164
poczta.internetdsl.pl 164
amorek.pl 164
ypohuzurozo.elblag.pl 163
supermails.pl 163
on.pl 163
sezam.pl 162
mail8.vot.pl 162
eska.pl 162
elumukafel.walbrzych.pl 162
wit.edu.pl 161
rawafi.ketrzyn.pl 161
epoczta.pl 161
poczta.wsiz.rzeszow.pl 160
magiczne-spojrzenie.pl 160
yqufihacyd.konin.pl 159
zut.edu.pl 158
computerland.pl 158
ny.pl 157
787y849s.bij.pl 155
www.pl 154
medicover.pl 154
fryzjerpolski.pl 154
sygnity.pl 153
friend.pl 153
centrale.waw.pl 153
yboqosuwo.lapy.pl 152
tojajybo.dlugoleka.pl 152
gsi.pl 152
cu.com.pl 152
ofokaku.przeworsk.pl 151
mail.pl 151
buzaiczek.pl 151
armatny.augustow.pl 151
efilmik.pl 150
buziacze.pl 149
umexizypu.wlocl.pl 148
smsnet.pl 148
tle.pl 147
muniado.waw.pl 147
xelupyb.podlasie.pl 145
elykola.ketrzyn.pl 144
cisco-guide.pl 143
wutikovoqi.ostroleka.pl 142
kuziaczel.pl 142
horoskop365.org.pl 142
air-bubble.bedzin.pl 142
ps.pl 140
portal.onet.pl 140
wa.home.pl 138
nkama.bee.pl 138