Poland: Data Protection Laws of the World Handbook: Second Edition - Poland
E-Commerce And Privacy Alert

LAW

As a member of the European Union, Poland implemented EU Data Protection Directive 95/46/ EC in the Personal Data Protection Act of 29 August 1997 (consolidated text Journal of laws of 2002, No 101, item 926 as amended, hereinafter referred to as the "PDPA"). The implementation was introduced by the Amendment of Certain Laws in Connection with Membership of the Republic of Poland in the European Union of 24 August 2007 (Journal of laws of 2007, No 176, item 1238).

DEFINITION OF PERSONAL DATA

The PDPA states that personal data shall mean any information relating to an identified or identifiable natural person. An identifiable person is the one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity. A piece of information shall not be regarded as identifying where the identification requires an unreasonable amount of time, cost and manpower.

DEFINITION OF SENSITIVE PERSONAL DATA

Pursuant to the PDPA sensitive personal data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, party or trade union membership, as well as personal data concerning health, genetic code, addictions or sex life and data relating to convictions, decisions on penalty, fines and other decisions issued in court or administrative proceedings.

NATIONAL DATA PROTECTION AUTHORITY

General inspector of Personal Data Protection

(Generalny Inspektor Ochrony Danych Osobowych)

REGISTRATION

As a general rule, data controllers who process personal data must notify the General Inspector about the data filing system containing such data. The General Inspector keeps a register of data controllers and data filing systems, which is available to the public.

The obligation to register data filing systems does not apply to the data controllers of data which:

• include confidential information;
• were collected as a result of inquiry procedures conducted by officers of bodies authorised to conduct such inquiries;
• are processed by relevant bodies for the purpose of court proceedings and on the basis of the provisions on the National Criminal Register;
• are processed by the Inspector General of Financial Information;
• are processed by relevant bodies for the purpose of Poland's participation in the Schengen Information System and Visa Information System;
• are processed by relevant bodies on the grounds of laws which regulate the exchange of information with law enforcement agencies of EU Member States;
• relate to the members of churches or other religious unions with an established legal status, being processed for the purposes of these churches or religious unions;
• are processed in connection with the employment by the controller or providing services for the controller on the grounds of civil law contracts, and also refer to the controller's members and trainees;
• refer to the persons availing themselves of health care services, notarial or legal advice, patent agent, tax consultant or auditor services;
• are created on the basis of electoral regulations concerning the Lower Chamber of the Polish Parliament, the Senate, the European Parliament, communal councils, district councils and provincial councils, the President of the Republic of Poland, the head of a commune, the mayor or president of a city, and acts on national referendums and municipal referendums;
• refer to persons deprived of freedom under the relevant law within the scope required for carrying out the provisional detention or deprivation of freedom;
• are processed for the purpose of issuing an invoice, a bill, or for accounting purposes;
• are publicly available;
• are processed in the preparation of a thesis required to graduate from a university or be awarded a degree; or
• are processed with regard to minor, everyday affairs.

The data controller may start the processing of data in the data filing system after notification of the system to the General Inspector, unless the controller is exempted from this obligation. Nevertheless, the data controller of sensitive data may start the processing of these data in the data filing system after registration of the file, unless the data controller is exempted from the obligation to submit the system for registration.

The notification should include, in particular, the following information:

• the identity of the data controller and any data processors;
• the legal grounds for data processing;
• the purpose of the processing;
• a description of the categories of the data subjects;
• the scope of processing of the data;
• the means of data collection and disclosure;
• a description of the technical and organisational measures undertaken in order to comply with the goals defined in the PDPA; and
• information relating to the possible data transfer to a third country.

DATA PROTECTION OFFICERS

The data controller is obliged to appoint an administrator of information security who supervises the compliance with security measures implemented in order to protect the personal data against their unauthorised disclosure, takeover by an unauthorised person, processing with the violation of the PDPA, any change, loss, damage or destruction.

COLLECTION AND PROCESSING

The processing of data is permitted only if:

• the data subject has given his/her consent, unless the processing consists in erasure of personal data;
• processing is necessary for the purpose of exercise of rights and duties resulting from a legal provision;
• processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
• processing is necessary for the performance of tasks provided for by law and carried out in the public interest; or
• processing is necessary for the purpose of the legitimate interests pursued by the controllers or data recipients, provided that the processing does not violate the rights and freedoms of the data subject.

Where sensitive data is processed, one of the following conditions must be met:

• the data subject has given his/her written consent, unless the processing consists of the erasure of personal data;
• the specific provisions of other statutes provide for the processing of such data without the data subject's consent and provide for adequate safeguards;
• processing is necessary to protect the vital interests of the data subject, or of another person, where the data subject is physically or legally incapable of giving his/her consent until he establishes who is the guardian or curator;
• processing is necessary for the purposes of carrying out the statutory objectives of churches and other religious unions, associations, foundations, and other non profit organisations or institutions with a political, scientific, religious, philosophical, or trade union aim provided that the processing relates solely to the members of those organisations or institutions or to the persons who have a regular contact with them in connection with their activity and subject to providing appropriate safeguards of the processed data;
• processing relates to the data necessary to pursue a legal claim;
• processing is necessary for the purposes of carrying out the obligations of the controller with regard to employment of his/her employees and other persons, and the scope of processing is provided by the law;
• processing is required for the purposes of preventive medicine, the provision of care or treatment, where the data are processed by a health professional subject involved in treatment, other health care services, or the management of health care services and subject to providing appropriate safeguards;
• the processing relates to those data which were made publicly available by the data subject;
• it is necessary to conduct scientific research including preparations of a thesis required for graduating from university or receiving a degree; any results of scientific researches shall not be published in a way which allows identifying data subjects; and
• data processing is conducted by a party to exercise the rights and duties resulting from decisions issued in court or administrative proceedings.

The data controller is obliged to provide a data subject with information including: the identity of the data controller, the purpose of data collection, the data recipients or categories of recipients, if known at the date of collecting, the existence of the data subject's right of access to his/her data and the right to rectify these data, whether the replies to the questions are obligatory or voluntary, and in case of existence of the obligation about its legal basis. Further information is required if personal data has not been obtained from a data subject.

TRANSFER

The transfer of personal data to a third country (i.e. a country outside the European Economic Area) may take place only if the country of destination ensures an adequate level of data protection.

The adequate level of protection of personal data is evaluated taking into account all the circumstances surrounding the data transfer, in particular taking into account the nature of the data, the purpose and duration of the proposed processing operation, the country of origin and country of final destination of the data, the laws applicable in the third country, safety measures used in this country and business conduct.

Nevertheless, the data controller may transfer the personal data to a third country provided that:

• the data subject has given his/her written consent;
• the transfer is necessary for the performance of a contract between the data subject and the controller or takes place in response to the data subject's request;
• the transfer is necessary for the performance of a contract concluded in the interests of the data subject between the controller and another subject;
• the transfer is necessary or required by reasons of public interest or for the establishment of legal claims;
• the transfer is necessary in order to protect the vital interests of the data subject; or
• the transfer relates to data which are publicly available.

In cases other than those referred to above, the transfer of personal data to a third country which does not ensure at least the same level of personal data protection as that in force in Poland may take place only subject to the prior consent of the General Inspector, provided that the data controller ensures adequate safeguards with respect to the protection of the privacy, rights and freedoms of the data subject (the use of "standard contractual clauses" approved by the European Commission, or the implementation of Binding Corporate Rules easing the granting of such approval).

For the transfer of data to United States, compliance with US/EU Safe Harbor principles satisfies the requirement of the PDPA and the consent of the General Inspector is not required.

The transfer of personal data is also allowed if it is required by legal provisions or by the provisions of any ratified international agreement which guarantees an adequate level of personal data protection.

SECURITY

The data controller is obliged to implement technical and organisational measures to protect the personal data being processed, appropriate to the risks and category of data being protected, and to protect data against unauthorised disclosure, takeover by an unauthorised person, processing which violates the PDPA, any change, loss, damage or destruction, and in particular the data controller should:

• keep the documentation describing the way of data processing and security measures;
• appoint an administrator of information security who supervises the compliance with security measures;
• grant authorisation to persons who are allowed to carry out the processing of data;
• ensure supervision over the following: which data, when and by whom have been entered into the filing system and to whom they are transferred; and
• keep a register of persons authorised to carry out the processing of data.

There are three levels of security measures depending on the category of data: "basic", "medium" and "high". In the event no sensitive data is processed and none of the devices of the IT system used for data processing is connected with the public network (i.e. the Internet) security measures should be applied at a basic level. If the data controller processes sensitive data, security measures should be applied at least at the medium level. If at least one device of the IT system used for data processing is connected to the public network, security measures should be applied on the high level.

BREACH NOTIFICATION

There is no requirement in the PDPA to report data security breaches or losses to the General Inspector or to data subjects. However, pursuant to the Polish Code on Criminal Procedure there is a civic duty to inform the state prosecutor or Police in case of the commission of an offence prosecuted ex officio. Non compliance with the PDPA is an offence.

ENFORCEMENT

In Poland the General Inspector is responsible for the enforcement of the PDPA.

Where there is a breach of the provisions on personal data protection, the General Inspector ex officio or upon a motion of a person concerned, by means of an administrative decision, may issue orders to restore the proper legal state. Failure to comply with the decision is subject to fines up to approximately EUR 50,000.

Furthermore, non compliance with the PDPA may be a criminal offence. A person who is liable (usually a member of a management board of the company which is a data controller) may be subject to a fine (from approximately EUR 25 to approximately EUR 270,000), a partial restriction of freedom or a prison sentence of up to three years.

ELECTRONIC MARKETING

Electronic marketing activities are subject to the regulations of the PDPA, the Act of 18 July 2002 on Providing Services by Electronic Means (Journal of Laws of 2002, No 144, item 1204 as amended ("PSEM") and the Telecommunications Act of 16 July 2004 (Journal of Laws of 2004, No 171, item 1800 as amended ("Telecommunications Act").

The PDPA applies to electronic marketing activities as such activities will involve processing of personal data, eg an e-mail address is likely to be considered personal data for the purposes of the PDPA. The PDPA lays down the grounds for processing of personal data for marketing purposes. According to the PDPA the data controller may process personal data if processing is necessary for the purpose of legitimate interests pursued by the data controllers provided that the processing does not violate the rights and freedoms of the data subject.

The legitimate interests includes direct marketing of own products or services provided by the data controller. Therefore, if marketing activities relate only to products and services owned by the data controller, consent for such processing is not required. The data subject may always object to such processing. Nevertheless, if marketing activities relate to products and services not owned by the data controller, prior consent for such processing is necessary. In each case the data subject should be informed about processing of his/her personal data for marketing purposes.

Apart from consent for processing of personal data (if such consent is required), the PSEM imposes an obligation to obtain a separate consent for sending marketing information by electronic means, (eg e-mails and SMS). The consent should not be presumed to be or be part of another statement of will and may be withdrawn at any time. Sending commercial information without consent is considered to be unfair competition practice. A service provider should be able to provide evidence that it has obtained consent.

The Telecommunications Act prohibits the use of automated calling systems for direct marketing, unless a user has given prior consent to this. The consent of the user:

• may not be presumed or implied by a declaration of will of a different content;
• may be expressed by electronic means, provided that it is recorded and confirmed by the user; and
• may be cancelled at any time, in a simple manner and free of charge.

Enforcement and sanctions – Failing to fulfill the obligations to obtain consent for using automated calling systems for direct marketing is subject to a financial penalty up to 3% of the revenues of the fined company for the past calendar year. The penalty is imposed by the President of the Office of Electronic Communication (hereinafter referred to as the "President of OEC"). In addition, the President of OEC may impose a financial penalty on a person in charge of the company up to 300% of his/her monthly remuneration.

Sending marketing information by electronic means without consent is subject to criminal liability (a fine) and is considered to be an act of unfair competition.

The sanctions relating to PDPA set out in the Enforcement section above will apply accordingly.

ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)

The Telecommunications Act regulates the collection of transmission and location data and the use of cookies (and similar technologies). The amendment to the Telecommunications Act which implements Directive 2009/136/EC and Directive 2009/140/EC came into force on 21 January 2013, with the exception of the new provisions regarding cookies, which will come into force by 22 March 2013.

Transmission data – The processing of transmission data (understood as data processed for the purpose of transferring messages within telecommunications networks or charging payments for telecommunications services, including location data, which should be understood as any data processed in a telecommunications network or as a part of telecommunications services indicating geographic location of terminal equipment of a user of publicly available telecommunications services) for marketing telecommunications services or for providing value-added services is permitted if the user gives his/her consent.

Data about location – In order to use data about location (understood as location data beyond the data necessary for message transmission or billing), a provider of publicly available telecommunications services has to:

• obtain the consent of the user to process data about location concerning this user, which may be withdrawn for a given period or in relation to a given call; or
• perform the anonymisation of this data.

A provider of publicly available telecommunications services is obliged to inform the user, prior to receiving its consent, with regard to the type of data about location which is to be processed, with regard to the purpose and time of its processing, and whether this data is to be passed on to another entity in order to provide a value-added service.

Data about location may be processed only where this is necessary to provide value-added services.

Cookies – The use and storage of cookies and similar technologies requires:

• providing clear and comprehensive information to the user;
• obtaining the consent of the user; and
• that stored information or gaining access to this stored information does not cause configuration changes in the telecommunications device of the user or the software installed on this device.

The user may grant consent by using the settings of the software installed in the final telecommunications device used by him/her or by the service configuration.

According to the explanations of the Ministry of Administration and Digitalisation, which has prepared the amendment to the Telecommunications Act, consent can be inferred by a user's actions, e.g. the user is given clear and relevant information about the cookies that are used and on that basis gives his/her consent by changing browser settings.

Consent is not required if storage or gaining access to cookies is necessary for:

• transmitting a message using a public telecommunications network; or
• delivering a service rendered electronically, as required by the user

Enforcement and sanctions – A company that processes transmission data contrary to the Telecommunications Act or fails to fulfill obligations to obtain consent for processing data about location or storing and gaining access to cookies is subject to a financial penalty up to 3% of the company's revenues for the past calendar year. The penalty is imposed by the President of OEC. In addition, the President of OEC may impose a financial penalty on a person in charge of the company up to 300% of his/her monthly remuneration.

The sanctions relating to PDPA set out in the Enforcement section above will apply accordingly.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.

DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com